Look Out, there's a Fraudster About

Over recent years there has been an alarming increase in the number of frauds committed against churches and charities. More seriously perhaps, not only is the rate of such incidents increasing, so too is the range of methods employed by fraudsters to commit the fraud.

The following examples are all real-life situations which I personally have encountered and which, frustratingly, could have been avoided had proper checks and controls been in place. In almost every case mentioned, the treasurer realised almost immediately that they had been tricked but in the majority of cases the funds lost were not recovered.

Case 1 – Diversion of Payments to a Supplier

A church was in the midst of a large building project and, before the work had been completed, the treasurer received an email from the building contractor saying that the contractor’s bank account had changed and that future payments should be made to a different bank account number and sort code.

As the email was from the email address of the supplier, the treasurer amended the payee details on the church’s bank account and ensured that all future payments were sent to the new bank account. Unfortunately, the email had in fact come from a fraudster and as a result the payments were made to the fraudster’s bank account. Unfortunately, the fraud only came to light when the genuine contractor began chasing payment of invoices which the treasurer believed had already been made.

It is in fact relatively easy for fraudsters to “impersonate” email accounts so that they appear to be from a different email address. The fraudster was aware that the work was going on at the church, as the contractor was advertising their name and contact details on hoardings outside the church, and the church’s website gave details of the treasurer’s name and contact details. It was therefore very easy for the fraudster to piece together all of these details and gather enough information to carry out the fraud.

Case 2 – Transfer of Funds to a Different Bank Account

In this case, the treasurer received a telephone call from Sky Television offering a special deal on a new Sky box. This was a very good offer, so the treasurer accepted, gave the details over the phone and made the first month’s payment of around £30 using his personal debit card. Around an hour later the treasurer’s bank called with an alert that they had spotted the transaction allegedly to Sky, had reason to believe that this was not in fact Sky but a fraudster who had used the small value payment to obtain bank details and that there was a risk that these details would then be used to withdraw other amounts from the treasurer’s bank account.

The good news was that the bank had cancelled the payment and were confident of tracking the fraudster down and retrieving monies which they had successfully obtained from other customers of the bank. However, in order to ensure that the funds in the bank were safe, the treasurer should immediately transfer all funds in the personal account and also any other accounts which were with the same bank with the same authorised signatory (this included the church bank account) to a separate account which the fraudsters would not be aware of. Obviously, it would not be advisable for the bank to take the necessary details on the phone, so the treasurer was advised to log on to online banking and make the transfer there – further reassurance that this was genuine.

Sadly, neither of these calls were genuine and both the call from Sky and the call from the bank had actually been from the same fraudster and the bank details for the account into which the funds had been transferred were for the fraudster’s bank account. The fraudster had obtained the treasurer’s details from information which was displayed in the church building and was aware that the treasurer was a Sky customer as there was a Sky dish attached to their house.

Case 3 – Text Message Fraud

As is normal practice, a church treasurer had linked their mobile telephone number to the internet banking account associated with the church’s account. This provided a useful security check as the bank would send texts when a new payee was set up or a payee’s bank details were changed. The treasurer received a text, as part of the same text chain and from the same phone number as other texts from the bank, stating that there had been suspicious activity on the account and that by clicking on the link included in the text the treasurer could change the password to protect the account. The treasurer did this.

The text was actually sent from a fraudster impersonating the bank. By clicking on the link, the treasurer had inadvertently given the fraudster the current sign in details of the bank account which then enabled the fraudster to access the account and withdraw funds. It is possible for fraudsters to include bogus texts in genuine text chains from apparently genuine phone numbers.

Case 4 – Email Fraud

A treasurer received an email from the church staff member who was responsible for paying invoices, asking the treasurer to make an urgent payment to a new supplier. The treasurer checked that the email came from the correct email address and, as this was indeed the case, the treasurer made the payment as requested.

The email was not in fact from the person it appeared to be from. The fraudster had impersonated the email address.

Lessons to be Learned

As I said in my introduction, these are all genuine real-life examples of incidents which I have come across. They are however only examples, and no two situations will be identical. There are many variations of these and other situations which are all designed to trick bank account authorisers to either make payments or to divulge bank account information. There are a number of important lessons for treasurers or for anyone who is responsible for making payments or indeed, who is involved in any way with church finances:

1. Almost all of the situations outlined above could have been prevented by having dual authorisation for payments from the bank account.
2. There are very few situations which require immediate action. It is always worth taking time to pause and reflect on any requests received and to discuss with a colleague whether the request is genuine.
3. When asked to change the details of a payee’s bank account, always carry out a second check such as phoning the supplier to check the validity of the request. Never reply directly to an email, even if it appears to be genuine. It is always better to start a new email thread with the intended recipient’s email address.
4. Avoid displaying the treasurer’s personal details on publicly available documents such as websites or literature which is widely available.
5. Never disclose bank details over the phone. Always phone the bank on a recognised phone number, preferably using a different phone.
6. Never assume that emails or texts are genuine, even if they appear to be from known or trusted sources.
7. Never click on a link contained within a text or email, even if the text or email appears to be genuine.
8. Always pause and take time – check details, discuss with a trusted friend or colleague, think of the possible consequences.
9. Remember – almost nothing is so urgent that it needs to be done now! Your bank can always take steps to safeguard funds without the account holder having to do anything.