With GDPR now taking effect, there may be a tendency to focus on all aspects of collecting and using personal data, and concentrating your resources on ensuring full GDPR compliance, but it’s important not to let your guard slip in other areas.
A continuing way to try and get money from a business or organisation fraudulently is an email which appears to be from the Owner, Managing Director, or other senior person in the business, asking for an urgent payment to be made, normally to a new supplier whose bank details are contained in the email, but sometimes to a new bank account of an existing supplier.
Such emails sometimes start off originally by asking if the person is around and able to help, before moving on to the actual payment amounts etc. required in follow up emails. They often say that they are confidential and that the matter is not to be discussed with someone else as they know that if the recipient does discuss it then it’s likely the fact that it’s not a genuine email will be picked up.
A variant of this is where the email appears to be from a supplier, advising that their bank details have changed, and asking you to update your records. In this case, they often don’t ask for money immediately but simply wait until you next pay the supplier and then of course they receive the monies instead.
Whilst emails are the most common way of perpetrating these frauds, the second one sometimes takes the form of a forged letter rather than an email.
Of course the new bank details they supply in either case are their own and not your suppliers!
With either method, the end result is that money is stolen from you and is very difficult to recover as you have willingly made the transaction rather than it being a straight theft.
We mentioned these threats in a previous blog post and our advice at the time is still relevant now, and is available here.
Of course, as GDPR comes into play, then there is the risk that complying with such emails will expose sensitive / personal information which could then lead to fines and other sanctions as well as the loss of the money.
We therefore thought it was a good time for a reminder and a suggestion that if you are reviewing / updating your other procedures in light of GDPR, why not update your payments ones too?
As always, the internet is constantly changing and any advice we give can only be a guide. We recommend you seek advice from your own IT department or adviser for specific actions you should take. For any general queries however, please contact firstname.lastname@example.org