Construction firms are being targeted by cyber criminals with fake invoices and bank details as part of a sophisticated fraud netting more than £100m a year in the UK.
Mandate Fraud, also known as Payment Diversion Fraud (PDF) and Business Email Compromise (BEC), tends to affect businesses and customers where electronic financial transactions are common place, such as the construction industry.
Criminals will contact businesses or customers via email, usually claiming to be from a company that the business or customer has been dealing with. They will request a payment to be made via fake but very plausible invoices, or payment details to be changed.
It is estimated that mandate fraud costs the UK more than £100m annually, with the average loss per business around £27,700. In 2019 alone, 3,577 reports were reported to the police. One historical mandate fraud cost a single construction company £1.1m.
The scams are becoming ever more sophisticated with the criminals often creating fake e-mail addresses which are very similar or identical to genuine business, down to the e- signatures and disclaimers. These directs payments from businesses and customers go straight into the criminal’s bank account where it is quickly moved on. The scammers do their homework and will often go to extraordinary lengths to mimic their victim’s online presence and email branding.
The NEBRC – North East Business Resilience Centre – which advises businesses on how to prevent such fraud are currently advising across the construction sector including prevention, recovery from an attack and putting in robust IT protection.
Supt Rebecca Chapman (pictured) , head of the not-for-profit NEBRC, said: “Mandate fraud aimed at construction businesses is becoming more commonplace as the nature of the sector with complex supply chains, multiple third-party contractors and a fast-moving work environment often meaning there’s little time to double check authentic looking requests that come in on email.
“But the construction industry needs to be aware of this threat and ensure they have robust systems and checks in place. The NEBRC can advise businesses who don’t know where to start with audits to check current security measures, IT enhancements and, most importantly, staff training. It only takes a split second for a member of staff to unwittingly allow a mandate fraud to take place, and the criminals will take no time at all to move any monies on from genuine customers and bank accounts.”
