March 26th, 2015  

I attended Crowe Clark Whitehall’s (www.crowehorwath.net) Cheltenham COFA breakfast yesterday hosted by Mark Hunt, Head of Professional Practices – Cheltenham with guest speaker Julie McArdle from the RBS Customer Security Team. There were several COFA’s from local law firms in attendance and I think all of us left the breakfast meeting with one shared thought:

“We must share this with our accounts team now – this is really serious!”

What is vishing?

Vishing is when fraudsters obtain personal details of a victim by phone. Often fraudsters will have researched the firm: through its website, its employees (particularly those in the accounts department) social media and by contacting the firm directly. Fraudsters can go on to use this personal information to commit fraud by gaining access to the firm’s on-line banking facility, creating and authorising fraudulent payments.

Who is at risk?

Julie shared with the group a real-life vishing con and whilst she did not identify the business, it was a household name with a well-informed, experienced accounts team. Every business is at risk of this fraud although as most criminals prefer as easy a life as possible and as it is fairly common knowledge that law firms can hold large sums of money on an instant access basis, it is easy to understand why they are disproportionately targeted.

Fraudsters are extremely sophisticated and are absolutely convincing. Many, many switched on, intelligent and commercially savvy business people have fallen victim.

What makes a business attractive to fraudsters?

If we look at a typical law firm as an example, there are often lots of points of contact that are used to speaking with banks. Law firm bank accounts will display unpredictable payment patterns – as throughput is driven by servicing clients’ needs as well as the firm’s. Law firms, unlike most other commercial entities, have a fast moving accounts function. Accounting for most businesses is generally an historic function driven by the decisions made throughout the company with few deadlines imposed. The accounts function in a law firm by contrast actively supports the service provided to the client, it is real-time and absolutely requires access to the monies held at all times. Fraudsters will use this to create a high pressure situation – often by advising the firm that the bank accounts have been frozen.

How does the vishing fraud start?

The fraud may start with a phishing email, which when opened will deploy malware to enable the fraudster to effectively spy on the activities being carried out on that particular computer. These emails are increasingly more sophisticated and hard to spot as they are often based on a genuine email.

When the phone call comes, the fraudster will already know enough information about the business to sound authentic. They will not ask for the firm’s bank account details – there’s no need because they’ve already obtained that information. They will create a high pressure situation often using money laundering as their justification to assert that that the bank accounts will be frozen. They will gain your confidence and may use tricks like maintaining an open telephone line so that when you call to “verify” them, you’re still speaking to the fraudsters. Once they have your attention, they will ask you for “security purposes” to verify your user login, password and/or PIN.

The amounts that the fraudster will take will generally be amounts that they assess as being typical transactions values for the business. Whilst banks do actively track for unusual payments and use profiling of each customer’s account to monitor this, the fraudsters know this and so will take monies in amounts that they hope would not attract immediate attention.

What steps can you take?

Julie shared some tips and pointers that will help everyone avoid falling victim to this type of fraud:

1. Don’t trust that someone is who they say there are;
2. Call a trusted number to verify the call – don’t call the number you’ve been provided with;
3. Use a different line to make that verification call;
4. If that’s not possible, call a trusted friend or relative first (someone whose voice you’d recognise) to ensure the line hasn’t been held open;
5. Remember banks will never ask for your complete PIN, password or challenge codes. Each bank has their own policy on what security information they will ask for so check with your bank to understand what they would never ask for;
6. Don’t be polite – end the call if you have any doubts at all;
7. Make sure your accounts team particularly are kept up to date and so able to combat fraud – particularly ensure that they are aware of information provided by the bank.

What remedies are available if you do fall victim?

As a personal customer, banks generally will make good any monies stolen due to fraud. As a business customer, you should be aware that the banks will not automatically refund monies. If you have breached their T&C’s (such as shared user logins and passwords), failed to take account of alerts that your bank may have sent you or simply failed to take reasonable steps to protect the business, then you are unlikely to see the monies refunded by the bank. Your bank will always do whatever they can to recover the monies but with funds generally being dispersed and often out of the country within 30 minutes of the fraudulent activity itself, recovery is unlikely to be 100%.

Check the terms of your business insurance particularly to understand what would be considered negligent (and so uninsured) behaviour.

Help needed?

If you’d like assistance to review your policies and procedures around your banking facility or any other of your accounting functions, please get in touch. I’ll be happy to help.