If anyone needed any evidence about the absence of a moral compass within the fraudsters universe, look no further than the case of Bury Hospice. In July, the hospice, which provides care for terminally ill people, had £235,000 taken from its accounts. This followed a call from someone pretending to be their bank in what has become an all too familiar tale.
The emergence of ‘Social Engineering’ has shattered many organisations. In this case, the hospice was duped into believing they were taking part in an on-line virus check. Other tactics, in what are commonly known as ‘bank imposter’ claims, identify the key staff and contact them with one of two common ‘problems’:
- There has been suspicious activity on the account and the account holder needs to transfer the money into a ‘safe’ account as a matter of urgency; or
- The bank needs to confirm and clear suspicious payments, which involves the account holder using their card reader to confirm details back to the ‘bank’.
It’s probably too much to expect fraudsters to show some kind of compassion or discrimination towards their targets but, depressingly, this is not so. A childrens’ football club in Reading lost 20 years of savings earlier this year. Emails purporting to come from the chairman were sent to the unpaid, 82-year-old treasurer, requesting payments for building work, which had taken place. A dog shelter in Shropshire was taken for £20,000, and Chester Zoo for an eye watering £1.26m. In the case of the latter, employees were duped into making a payment to Laing O’Rourke, who were constructing a £17m safari experience. Because banks only require sort codes and account numbers, there is no flag if the names do not match. Within 90 minutes of the zoo paying, the money had been ‘starbursted’ into 28 different bank accounts. What certainly won’t help deter this kind of activity is that the perpetrators (unusually in the case of the zoo, they were identified) received suspended sentences or community orders for the offence. And as a general rule, don’t expect any charity from the banks, because the law is crystal clear on matters such as this.
The challenge for third sector organisations is to make the controls as robust as they need to be within the confines of the limited budgets that those in this sector are faced with. That said, a few simple and straightforward procedures, such as call back procedures for phone transfer requests and structured procedures around bank account changes, cost little or nothing but can have a profound effect. And as painful and embarrassing as this kind of event is, media coverage may at least go some way towards raising the probability that more of these frauds are prevented.