Payment diversion fraud might hide behind aliases such as mandate fraud, invoice fraud or business email compromise, but regardless of what you call it, it’s a big threat to business. According to Andy Fyfe, detective chief inspector at the Economic Crime Department of the City of London Police, “This is the most harmful problem that businesses report to us.”
BMW fell victim to a payment diversion fraud that took place over the course of three years when an accountant systematically altered supplier invoices to divert funds into his own bank account.
The fraudulent payments started with an invoice for £30,000, followed by another 58 separate transactions that ranged from £7,000 to £278,000, resulting in losses totaling £6 million. The fraudster meanwhile led an extravagant lifestyle that included buying three new cars, spending £20,000 on jewelry and even purchasing a diving school in Mauritius.
The fraud was uncovered during a routine audit. A random supplier check showed that the supplier had not provided services to BMW for four years. This discovery led to a detailed investigation into the circumstances surrounding the payments, resulting in the ultimate arrest of the fraudster who admitted to taking the money to repay a previous debt he incurred committing fraud in the Netherlands. Less than half the funds were recovered with significant outstanding proceeds believed to be held overseas.
This was no doubt an unfortunate situation for BMW to have to bear. If there’s some sort of silver lining that can be taken from it, however, it’s that there are a number of lessons that can be gleaned from the case that will help other organizations prevent similar fraud events from happening to them in the future.
Defending against payment diversion fraud
This case highlights a number of critical technology, process & people issues that, if corrected, could have prevented the situation from occurring:
- The use of intelligent transaction monitoring could have detected this fraud at the first attempt. Validating payment files before submission to Bacs highlights any first-time payments to a new bank account for investigation.
- Automated workflow rules would have screened payments against blacklists that would have flagged the fact that the beneficiary details for the supplier were the same as an existing employee (Inactive suppliers could also be added to the same blacklist).
- The fake invoices were processed without adequate reconciliation. Reconciling invoices against purchase orders, delivery notes or some other form of documentation so as to verify whether or not the invoice is in respect to a genuine business transaction would highlight an exception case for further investigation.
- Verification of important changes to registered supplier bank account details should have been made with established contacts at the supplier.
- Good supplier management processes should have been followed to routinely check that suppliers are still actively involved in providing goods and services.
- Regular cost centre reviews would have highlighted unusual or higher than expected costs in the Profit and Loss account, prompting further investigation.Payment diversion fraud is defined as any fraud that involves falsely creating or diverting payments.
- Monitoring and reporting on employee’s lifestyle would have flagged inconsistencies with the fraudster’s salary. This was a major red flag that should have raised immediate concerns.
- An appropriately stringent recruitment process would have prevented an employee with a previous fraud conviction from taking a job handling large sums of money. In the future, recruitment should extend beyond checking references and involve due diligence intoan employee’s background.
Ultimately, wide scalecontrol concerns combined to create an environment where regular, significant and long-term payment diversion fraud could pass undetected.
Organizations looking to learn from BMW’s financial and reputational losses need to make a significant investment across the three areas of People, Process and Technology. Until they close off those vulnerabilities, they will also continue to remain easy targets for fraudsters.