A beneficiary change request is a request to change the details of a beneficiary’s account/accounts to which payments are usually made. A fraudster will look to exploit weaknesses in a genuine change request process, changing beneficiary account details to those of an account or accounts that he/she holds.
Fraudsters thrive on exploiting human psychology. What appears to be a genuine request to change secure information is in fact an illegitimate request to redirect payments from existing agreed instructions. An attacker does this by passing off a real or forged company letterhead that they send to you as notification of an alteration to a beneficiary’s banking details, or by posing as a current or new account manager before requesting changes via email or telephone.
Now adapt to defend…
The techniques implemented by fraudsters may be progressive but that only makes it all the more important that you frequently review your internal processes. Doing so gives you the opportunity to ensure that there are solid procedures and gatekeepers in place to manage change requests to the payment details of beneficiary parties – procedures fraudsters will find it difficult to get past.
Best practices to stop fraudulent beneficiary changes…
- Always create your own customer, supplier and payee profiles
- Substantiate all change requests, beyond the personnel it came from
- Independently confirm and verify requests with established and approved contacts
- Confirm all agreements in writing with an established contact not with the requester
- Upskill staff to make them aware of fraud risks and what to do if they suspect fraud
- Train staff to spot unexpected invoices or unusual payment requests early
- Send a small value test transaction to any new account and confirm receipt with the legitimate beneficiary
- Use fraud-detection software to help identify and stop risks
- Regularly review internal controls and process so they are up-to-date and secure
- Implement a strong process for amending or adding beneficiaries
Red flags for fraudulent beneficiary change requests…
- Be cautious of even the slightest variation to email addresses and/or domain names
- Be cautious of requests to only contact suppliers via the number or contact provided in received correspondence
- Be cautious of requests for urgent payment changes, especially with excuses for not being able to comply with your usual procedures
- Be cautious of public information on social media and websites that might help fraudsters execute fraudulent beneficiary change requests
Fraudsters will request beneficiary changes over the phone too, pretending to work for known partners or suppliers. These attacks are precise, planned and well-executed. It’s also important to keep this in mind: that fraudsters will be patient and persistent, often making several attempts to successfully carry out the attacks they plan. Always be prepared to asks questions, follow procedure and best practice if you are suspect the legitimacy of a request.