Are your payments secure?

Our Field Service Manager, Julie went to see one of our long standing members the other day, an Engineering firm on the coast.

They suffered a huge cyber fraud in the spring of this year, when over £200,000 was stolen from them.

The Hack

The cyber fraud was traced back to an attachment sent to one of the directors, who opened it. This then sat on their server, and sent a trojan email to another computer in their office. They spent over 35K on an accounting and operation system. However within the system, once you have completed your accounts process and you send the Bacs payment file to the bank for completion there is NO encryption!

The hackers had been monitoring keystrokes and had altered the email addresses within their system to the suppliers they were due to pay, so they didn’t get their emails saying payment was being made. They had also changed the bank account payment details and had the payments diverted to their accounts which were swiftly emptied.

The police said they had found that some of the bank accounts were traced back to students who had been offered a few hundred quid to open the accounts in their names, and then give the hackers the details and bank cards so they could withdraw cash deposited in the accounts. Indeed one withdrawal was from a cashpoint in Luton airport for £1000 and was caught on CCTV. The police are now giving talks within university campuses explaining to students why not to get involved in such scams and the dangers of opening accounts for others, according to our member.

The fact is that banks do NOT check the names on electronic transfers to see whether the payee names given on the payments match the corresponding name on account numbers given! They only check that the sort code and account number are valid account numbers for the transfer to happen. Their system providers do not accept any liability and have so far failed to add any encryption the BACS transfer of their accounts package.

What to do?

Our member cannot afford to change their operating package, but have had their own IT providers change their servers, implement ‘safe’ files for any emails received and another for attachments. They have also added security so that before any bank payment details are changed they have to enter a 4 digit security code to allow that to happen and that when payments are made via Opera they now have to manually upload bank transfer details.

Lots of stress, expense with replacement servers and computers and of course the loss of cash has had a huge impact on their business over the last few months.

Do you make electronic payments by BACS? Have you set up safeguards to ensure that your details are not compromised so that you make payments to the wrong people?  The above was a very technical fraud, but others have been defrauded because they simply been sent an email claiming to be from a supplier giving new bank details and the details have been changed without verifying the exchange. Put in protocols to check and verify the source.

And if your customers make electronic payments, encourage them to do the same. You don’t want criminals misdirecting the payments meant for you!

At least our member doesn’t have to worry so much about their credit risk. They are happy using CPA to minimise their credit risk, check their customers and prompt punctual payment.

James Salmon 18/8/17

email me

see our other blogs

Give us a call on 0330 053 9263 or get in contact.

I consent to supplying my personal information that may be used for marketing purposes and agree with the privacy policy.