A comprehensive approach to deterring and preventing Invoice Redirection Fraud (White Paper)

december 4, 2020 News Releases 0 Comments

§1     Invoice Redirection Fraud (Mandate Fraud)

§1.1. The Nature of Invoice Redirection Fraud (Mandate Fraud)

Invoice Redirection fraud (or Mandate Fraud) occurs when your company receives a request to change a direct debit, standing order or bank transfer mandate, from someone purporting to be from another organisation to which regular payments are made, for example a business supplier. It generally takes place when a criminal impersonates your company and deceives the customer into making payment of the company’s genuine invoices to a fraudulent third party account instead.

§1.2. The Types of Invoice Redirection Fraud (Mandate Fraud)

Type 1:

The most common form of invoice redirection fraud involves the criminal sending a letter or email (sometimes with a letter attached) to staff within a finance office impersonating a genuine company that they do business with. The letter will state that your company has recently changed bank account details and all subsequent invoices should be paid to the following new account details.

Type 2:

The fraud perpetrator creates a fake email chain which appears to be from senior managers within your company, in order to convince the staff member within a finance team that the invoice is legitimate and needs immediate processing. In most instances, the names used in the email correspondence are actual your company employees, suggesting that the fraud perpetrator has had insider assistance or has researched/used social engineering to gather information about your company. The fraud perpetrator may also have intercepted email or postal correspondence from your company.

Type 3:

The fraud perpetrator calls up staff from a finance team within a large organisation and pretends to be a senior manager from head office/overseas office and enquires why an invoice has not been paid. The fraud perpetrator uses an aggressive tone and essentially bullies the staff into paying the invoice. In advance of the fraud, the fraud perpetrator would usually have sent an email/letter requesting payment to new a bank account. By putting the staff member under sustained pressure during the phone call they ensure that any checks and processes are not followed as rigorously by the staff member.

Type 4:

Over a number of weeks the fraud perpetrator begins a process of social engineering staff within the finance team. Through a series of phone calls and emails the fraud perpetrator convinces the staff member that they are an employee of a supplier to your company and their new point of contact there. Eventually your company receives a letter or email requesting they change bank account details for the next invoice. The staff member contacts the supplier using their pre-existing contact details, which are now the criminal’s details. The fraud perpetrator confirms that the change of account details is accurate and the next invoice is paid to an account under the fraud perpetrator’s control.

Type 5:

Fraud perpetrators also take advantage of staff going on annual leave during the summer months. Aware that invoices may be paid by staff who lack experience and awareness of the threats in this area, fraud perpetrators will increase the volume of invoice redirection attempts.

§2.    The role of The Serious Fraud Investigation Office

§2.1. Serious Fraud Investigation Office

The Serious Fraud Investigation Office is an international specialist bureau for independent forensic examination of fraud-related crime involving complex issues of criminal law or procedure. We examine serious and complex cases of corporate fraud, commercial fraud, insurance fraud, cheque and payment card fraud, counterfeit currency, money laundering, computer crime and breaches of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Official Journal No. L.119 of 4 May 2016, p. 1 et seq. (General Data Protection Regulation).

§2.2. Create a culture of honesty, openness, and assistance

Creating a culture of honesty, openness, and assistance includes three (3) factors: (1) hiring honest people and providing fraud awareness training; (2) creating a positive work environment, which means having a well-defined code of conduct, having an open-door policing, not operating on a crisis basis, and having a low-fraud atmosphere; and (3) providing an employee assistance program that helps employees deal with personal pressures.

§2.3. Eliminate opportunities for Invoice Redirection Fraud (Mandate Fraud)

The five (5) ways to eliminate Invoice Redirection Fraud (Mandate Fraud) opportunities are: (1) having good internal controls; (2) discouraging collusion between employees and customers or vendors and clearly informing vendors and other outside contacts of your company’s policies against fraud; (3) monitoring employees and providing a hotline (whistle-blowing system) for anonymous tips; (4) creating an expectation of punishment; and (5) conducting proactive auditing.

§2.4. Comprehensive approach to preventing and deterring Invoice Redirection Fraud (Mandate Fraud)

Most organizations do not have a comprehensive approach to preventing and deterring Invoice Redirection Fraud (Mandate Fraud). In fact, most companies don’t think about fraud until they experience one. When fraud occurs, they go into crisis mode, investigate and try to resolve the fraud, and then wait until another fraud occurs. A more comprehensive fraud-fighting approach would involve:

  • creating the right kind of modeling and tone at the top,
  • educating and training employees about fraud,
  • assessing risks and putting proper controls in place,
  • having reporting and monitoring systems in place,
  • proactively auditing for fraud and then, when fraud does occur,
  • investigating and following up on the fraud.

The first element of a good fraud-fighting system is having management, the board of directors, and others at the top of an organization positive “tone at the top.” This involves two (2) steps: (1) caring enough about having a positive organization that effective fraud teaching and training is conducted throughout your organization and a well-defined corporate code of conduct is promoted and (2) setting a proper example or modelling appropriate management behavior.

The second element of a good fraud-fighting system is educating employees and others about the seriousness of fraud and informing them what to do if fraud is suspected. An awareness training might help your organization to prevent fraud and ensure that fraud do occur are detected at early stages, limiting financial exposure to the corporation and minimizing the negative impact on the work environment.

The third element of a good fraud-fighting system involves integrity risk assessment and having a good internal control system. Having a good system of controls means that there will be an explicit study of all frauds and why they occurred, together with implementation of control activities necessary to prevent future occurrences of the same types of frauds. Our analysis involves determinations by people in management, the board of directors, and others at the top, audit, security, human resources, control and finance of why and how the fraud involved. Such analysis are focused on the individuals who were involved, the controls that were compromised or absent, the environment that facilitated the fraud, and related factors. The results are important in understanding the kinds of preventive measures that are needed within the environment in which the fraud occurred.

The fourth element of a good fraud-fighting system includes having a system of reporting and monitoring.

The fifth element of a good fraud-fighting system involves having proactive fraud detection methods in place. Proactive active fraud detection methods are not only effective in detecting fraud, but knowledge of their use is a good fraud deterrent.

The sixth element of a good fraud-fighting system involves having effective investigation and follow up when fraud occurs. Effective investigation means your organization must have formal fraud polices stating who will carry out all elements of an investigation. Your investigation procedures must include: (a) who will conduct the investigation, (b) how the matter will be communicated to management, (c) whether and when law enforcement officials will be contacted, (d) who will determine the scope of investigation, (e) who will determine the investigation methods, (f) who will follow up on tips of suspected fraud, (g) who will conduct interview, review documents, and perform other investigation steps, (h) who will ultimately determine the corporate response to fraud, disciplines, control, etc. A strong prosecution policy must have the support of your board of directors, and others at the top, and must be informed if someone commits fraud and is not prosecuted. The single greatest factor in deterring dishonest acts is the fear of punishment. In order to obtain cooperation from law enforcement officers and the justice system, it is almost always necessary to conduct a thorough an complete investigation (usually including obtaining a signed confession) before the overworked law enforcement agencies and criminal justice systems can accommodate the prosecution.

§2.5. Proactive Fraud Auditing

Very few organizations actively audit for Invoice Redirection Fraud (Mandate Fraud). Rather, their auditors are content to conduct financial, operational and compliance audits and to investigate Invoice Redirection Fraud (Mandate Fraud) only when symptoms are so egregious that fraud is suspected. Organizations that proactively audit for Invoice Redirection Fraud (Mandate Fraud) create awareness among employees that their actions are subject to review at any time. By increasing the fear of getting caught, proactive auditing reduces fraudulent behavior.

§3.    Our Strategic Analysis, Advisory Services and Operational Support

§3.1. Fraud Risk Assessment

Anti-Fraud provides an independent and objective assessment of the organizations existing anti-fraud program, gaps in the existing controls and suggest measures to mitigate the gaps.

We assist our clients in setting up a monitoring framework, developing relevant checking procedures and identifying key risk indicators of Invoice Redirection Fraud (Mandate Fraud). We also develop training programs for employees, and help to create a continuously evolving control environment reflective of the risk landscape.


§3.2. Fraud Risk Management

To deter the occurrence of Invoice Redirection Fraud (Mandate Fraud), we provide clients with expertise to set-up and implement a visible and transparent fraud risk management program that allows to create an anti-fraud environment.

We assist private and public organizations with turning critical and complex issues into opportunities for resilience and long-term advantage. This involves identification of modus operandi as to how did the Invoice Redirection Fraud (Mandate Fraud) occur, who was involved, what were the extent of losses, and how can it be prevented from recurring.


§3.2.1.       Our Anti-Fraud Strategy

Our anti-fraud strategy has four (4) main components: a) Prevention, b) Detection, c) Response, and d) Deterrence. The various elements of an effective anti-fraud strategy are closely interlinked and each plays a significant role in combating fraud. The combination of effective fraud prevention, detection and response measures will create an effective fraud deterrent.

§3.2.2.       Fraud Prevention

The attitudes within your organization lay the foundation for a high or low fraud risk environment. Where minor unethical practices may be overlooked, larger frauds may also be treated in a similar lenient fashion. In such an environment there may be a risk of total collapse of your organization either through a single catastrophic fraud or through the combined weight of many smaller frauds.

A sound ethical culture and sound internal control systems are essential key components of a fraud prevention strategy.


§3.2.3.       Fraud Detection

There are a range of Invoice Redirection Fraud (Mandate Fraud) indicators – both warning signs and fraud alerts – which can provide early warning that something is not quite right and increase the likelihood that the fraudster will be discovered.


§3.2.4.       Fraud Response

Any organization should set out its approach to dealing with Invoice Redirection Fraud (Mandate Fraud) in its fraud policy and fraud response plan. Organizations should ensure that this includes provision for learning lessons from fraud incidents and appropriate, prompt follow-up action.


§3.3. Fraud Investigation

Fraud Investigation helps organizations manage the risk an vulnerabilities that come from global corruption, from high profile and complex financial matters to employee, cash, cybercrime and Invoice Redirection Fraud (Mandate Fraud). 

We assist our clients with investigation of alleged fraud or corruption perpetrated against corporate and government entities, including, but not limited to, vendor fraud, payables fraud and embezzlement. We also assist with factual, often privileged, investigation of alleged corporate wrongdoing, including, but not limited to, investigation of alleged financial statement misrepresentations and violations of anti-corruption regulations. Our investigation work includes forensic imaging of computers, data analysis, collection and analysis of data, interviews of individuals and review of documents.


§3.4. Anti-Corruption

We help our clients understand and respond to anti-bribery and corruption compliance in all its phases, even when the businesses span many jurisdictions and are governed by many regulators. We assist in determining loose controls posing risk of violation of FCPA and Bribery Act, showcasing company’s views on corruption and bribery to regulatory bodies and also provide training to employees regarding FCPA, Bribery Act and related provisions.


§3.5. Compliance Assistance

Corporate executives and board of directors have increasing demand on evidences of whether their corporate compliance infrastructures, processes and controls are effective, integrated, efficiently risk-aligned and embedded throughout a complex, global organization. Effective and cost-efficient management of legal, regulatory and reputational obligations is a critical element of corporate governance and enterprise risk management.

We assist clients in assessing, improving and monitoring their compliance programs. Our work includes compliance risk assessment, compliance program gap assessment and improvement recommendations, design implementation assistance for compliance process, deployment of governance, risk and compliance, technology, and data analytics and compliance monitoring.


§3.6. Integrity Due Diligence

Integrity Due Diligence (“IDD”) is the gathering of independent information to gain an understanding of the integrity and corruption risks associated with a third party. It provides companies with a means to both identify these risks and confirm (or otherwise) information provided to them by a third party.

We conduct integrity due diligence services for clients across multiple sectors to help mitigate risks from new commercial relationships and to inform their strategic decision-making.

Companies with an international presence (or plans to expand internationally) are placing an increased emphasis on the need to understand the integrity risks posed by the third parties with whom they contract in those countries (including their representatives, agents, distributors and critical members of their supply chain), in particular for compliance purposes in light of new extra-mural anti-corruption legislation introduced in many western jurisdictions.


§3.7. Forensic Business Intelligence

Forensic Business Intelligence assists in conducting research and collecting information about a target or an entity through searches on public domain information sources on-site visits and interviews. 

We provide Forensic Business Intelligence Services to eliminate opportunities for fraud. We advise clients when the need further information about a potential business partner, another party in a hostile takeover, a competitor or a commercial opportunity. Entering into any significant commercial transaction involves risk, but by providing relevant an reliable intelligence we help clients make better decisions.


§3.8. Litigation Support

Litigation support is all activities, usually within the law firm, that is designed to prepare a lawyer to try a case, including document review, interviewing witnesses, and case preparation. Litigation support activities include the organization of documents, including paper-based document management, but increasingly through technology such as litigation support software and systems. Documents are organized into searchable databases for review and production.

We provide litigation support to our clients, often working alongside their external legal teams, to design and implement investigation strategies and obtain admissible evidence. We also work directly with law firms to enhance their resources and enable them to provide more cost-effective solutions to their clients. As well as legal remedies, our consultants have a detailed understanding of extra-legal strategies that can achieve the best outcomes for clients, having worked closely with law firms, media consultants and business advisors in many past cases.


§4.    Taking action to reduce fraud risk

It’s vital for all businesses to be certain about: a) who their investors are, b) who they are employing, c) who they are doing business with. If you ignore those factors, then the chances of potentially becoming a victim of Invoice Redirection Fraud (Mandate Fraud) are higher and may result in monetary losses with little change of recovery.

§4.1. Know your Investors

If you are in the beginning stages of building your business, you are surely excited about getting to the point where you can start raising money from (potential) investors. Maybe you are already at this point in your company, and you would like to know how to succeed at raising capital. Since this is the most critical part of business development, it helps to know how to succeed in communicating with potential (potential) investors. After all, just because you have secured a meeting with a (potential) investor, it does not mean that you are guaranteed to receive their financial investment into your business. Just like you, (potential) investors are looking for the right opportunities to be a part of. If you cannot provide them with an opportunity that seems promising, you will not be allocated their investment.

§4.2. Know your Employees

Nearly 20% of business have been defrauded by an employee at some point during their trading history, causing significant loss and in some cases have destroyed a business. It is those on the inside of your company who can often do the most damage, due to their access to your key assets and familiarity with your processes (and how they might be bypassed). Your employees represent your businesses values and give it an identity. Their ethics and behaviours are a big part of your company’s reputation, so you need them to be honest and professional to protect your company’s name as well as your revenue. Unfortunately, some employees are able to abuse trust and take advantage of their employers, seeing an exploitation opportunity as well as an employment opportunity. To stop your company being attacked from the inside, you need to make sure you really know your employees and the threats they can bring.

§4.3. Know your Customers

Customers are important to the running of your business. They are your source of revenue. Meanwhile they can also pose a significant fraud risk. Most of your customers will come to your company in good faith to make a genuine purchase of products or services. Unfortunately there are other customers that will attempt to leave your business out of pocket.

§4.4. Know your Suppliers

Suppliers are essential to providing companies with what they need to conduct business, however, they also pose their own set of fraud risks, arsing internally form staff – or externally. Staff could pose as legitimate or false suppliers. Even they could divert funds for their own use that was intended for a supplier.

This publication contains general information. The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing) is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing) shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2020 The Serious Fraud Investigation Office (Van Leeuwen Law Firm | Praetor Forensic Auditing), All rights reserved.