The British Government issued a warning to charities in December 2019 after a spike in reported cases of ‘mandate fraud’ or Invoice Hijack – where scammers impersonate employees by using their email address.

A spokesperson for the Charity Commission in the alert said:

We have received several reports from charities who have been targeted by fraudsters impersonating members of staff, specifically attempting to change employees bank details. In all these cases the request was made through an email.

The warning urges charities to be on the look-out for requests received by email to their HR Department, their Finance team or to employees with authority to update payment details.

As we have shown before, in primitive attacks the emails will spoof the address of either internal or supplier contacts.  In more sophisticated attacks the fraudster will compromise the supplier’s email system and be able to send using the user’s real email address.   These scams can be extremely convincing as they relate to existing transactions.    Check out the anatomy of a real-life scam here>

Government advice for charities is to review internal procedures regarding how employee details are amended and approved, especially those in relation to verifying validity.

Our advice goes further. The only effective solution is to remove Means and Opportunity for the fraudster.  Taking the transaction details (invoices, bank details – even purchase orders) out of email and placing them in a secure environment where the parties involved can easily share information and communicate.

The solution need not be arduous or inconvenient for either charity staff or suppliers.  Indeed, when automation is applied the change can not only secure the accounts payable / invoice payment process it can reduce cost and release human resource for more valuable activity.

For more information about Invoice Hijack and how to avoid it, check out these posts: