Mandate fraud is also known as payment diversion fraud, a change of bank account scam, supplier account takeover fraud or ‘whaling’.

Mandate fraud occurs when a fraudster contacts an organisation – your client/customer – with a request to change payment details such as a direct debit, standing order or bank transfer mandate, by purporting to be from a genuine supplier. If the organisation accepts the fraudulent request, the payments are then diverted into the criminal’s bank account. The genuine supplier details are usually obtained from a range of sources including corrupt staff, email interception, publicly announced contracts, and online logs of supplier contracts.

This guidance focuses on email interception between the organisation and its suppliers.

Cybercriminals gain access to the email accounts of the organisation’s personnel working in financial approval roles, or to suppliers to that organisation. This may be done through a phishing email to target a particular member of staff, by spoofing a genuine existing supplier’s email account, by installing malware on the supplier’s devices, or through the use of stolen email passwords.

The fraudster will observe the pattern of work of the organisation, and review emails being sent between the organisation and the supplier. Once an interesting or valuable transaction is identified, the cybercriminals will tamper with the mail account settings, so that the legitimate mail owner is unaware that their emails are being redirected to an obscure location or are deleted.

Cyber criminals usually target staff within an organisation’s finance and procurement departments. They may use ‘socially engineered’ information they have obtained to appear genuine, such as appearing to be the person they are purporting to be and understanding internal systems, in order to gain the trust of the staff member and persuade them to act in such a way as to make the fraud more likely to succeed.

By sending tampered invoices or misleading communications from the compromised email account the cybercriminal will request that the bank details or phone number of a genuine supplier is changed. The email will request that future payments for products or services are made to a new bank account. The new account will be under the control of the cybercriminal and any funds paid into it will be lost as it will be immediately transferred to third parties via money transfer companies or cashed out and sent abroad.

What can Suppliers do to help prevent these types of fraud?
  • Keep your systems secure to prevent phishing and hacking of your email accounts, which could lead to fraudsters requesting organisations to change their suppliers’ bank account details.
  • The National Cyber Security Centre provides advice on how to stay safe on line and prevent you or your customers/ clients being victims of fraud. https://www.ncsc.gov.uk/cyberaware/home

For further discussion and support, including fraud awareness training services, please Contact Us.