How you can protect your business from impersonation fraud

  Read time : 7 mins       Added:  31/10/2018

Share:   LinkedIn     Twitter     Facebook     Share via email     Copy link to clipboardLink copied to clipboard

Fraud and cyber-related fraud are on the increase. With one quarter of UK businesses admitting they’ve experienced a financial scam since 2014, and a staggering £145.4m lost to scams in the first half of 2018 alone, we talk to UK Finance’s Managing Director of Economic Crime, Katy Worobec and Chris Fawcett, Fraud Risk Manager at Lloyds Banking Group about what businesses need to look out for and how they can protect themselves.

“Fraudsters are using more sophisticated methods to scam businesses out of money, explains Katy Worobec, Managing Director of Economic Crime at UK Finance, “but many of the most successful cases of financial fraud are still based on old-fashioned impersonation.”

A growing threat

Impersonation fraud is on the rise in the UK and globally. UK Finance claims that “impersonation and deception scams continue to be one of the primary drivers behind business losses to financial fraud”.

In many cases, impersonation fraud occurs in conjunction with a cybersecurity attack, with the cyber breach allowing fraudsters to conduct reconnaissance, research and harvest valuable information which is used to make their attack very convincing. 46 per cent of businesses identified at least one cybersecurity attack or breach in the last 12 months according to the Government’s Cyber Security Breaches Survey 2017.

The two most common types of impersonation fraud attack targeting UK businesses are CEO fraud, where staff receive a payment instruction that purports to be from the CEO or senior executive, and invoice fraud, where staff receive new or amended payment information from a fraudster disguised as a supplier. Another type of fraud, business email compromise fraud, however, is becoming increasingly widespread.

CEO Fraud

Businesses lost over £7.4m to CEO fraud in the first half of 2018. This type of fraud depends on plausibility and pressure. Staff will receive an email that impersonates a senior executive, which tries to deceive them into transferring money. “It often occurs following a cyber breach, which allows the fraudster to hack into the CEO’s email account for example, or to find out information to make the email seem authentic,” says Chris Fawcett, Fraud Risk Manager at Lloyds Banking Group.

“The look and feel of the email can be very plausible,” agrees Katy, “and the back story will add up, so the email will typically be sent when the CEO is on holiday or travelling abroad, so not easily contactable.”

The email will request an urgent transfer of funds, perhaps stating that without the payment a deal will fall through, relying on the employee feeling pressurised to make the payment without following due process.

Invoice Fraud

Businesses lost £37.3m to this Invoice Fraud in the first half of 2018.

This type of fraud typically occurs when fraudsters pose as a genuine supplier and request that bank account details are changed, diverting payment for goods or services received into their own bank account.

“Often the criminal will have researched the relationship between the company and its supplier,” says Katy. “They will know when regular payments are due and will contact the company either by telephone or with a counterfeit branded letter, explaining that they have changed their bank account details so future payments should be made to the new account details they provide.”

This type of fraud relies on the employee being convinced that this is a routine request and failing to undertake further checks. It’s often not spotted until the genuine supplier chases payment, perhaps weeks down the line, by which time the money trail has gone cold.

Business Email Compromise Fraud

“This type of fraud first emerged in the UK in early 2017,” says Chris. “Essentially, a business’ email is compromised and fraudulent activity is perpetrated.”

Whereas traditional invoice fraud tends to be committed through a letter on forged headed paper, by telephone or perhaps through a spoofed email address, business email compromise fraud starts with a business’ or supplier’s email being hacked. The fraudster then monitors genuine email traffic, looking particularly for correspondence between individuals where a payment is being organised.

At a crucial point, the fraudster sends an email from the compromised email account of the individual instructing the payment, changing the beneficiary details to divert payment to an account managed by the fraudster. As this will often be embedded in a genuine email chain, perhaps where authentication has already occurred, the payment is made, in good faith, to the account details provided and both genuine parties are unaware that a fraudulent act has been committed until the payment is queried.

How can I protect my business?

Despite the growing threat that financial fraud poses to businesses, a UK Finance survey shows a worrying complacency. “Almost half of the business leaders who took part in the survey said that they didn’t believe fraud could be committed against them, and seven in ten hadn’t taken any action to protect their company or their employees from fraud,” says Katy. “That’s hugely worrying and shows that there’s a concerning degree of naivety from businesses in the face of what can be a hugely damaging risk to a business.

Raising awareness

Education and awareness of the extent of this core business risk, what to look out for and how to respond is critical. “One of the main ways that businesses can protect themselves is by making sure that fraud is on everyone’s radar,” says Chris. “Raising awareness, from the frontline right to the top of an organisation is essential, because protecting a business is in everyone’s interests.”

Increasing that awareness through greater education is part of UK Finance’s strategy to tackle economic crime. “Our Take Five campaign is about stopping to think before you do something, literally taking five, and the latest phase of the campaign is targeted at businesses to raise awareness of this type of crime and its effects,” says Katy.

Strengthening processes

When committing fraud, criminals rely heavily on either a lack of, or inadequate, processes within an organisation, or the failure of those processes. Fast-growth businesses, where policies, process and paperwork struggle to keep pace with an increase in staffing levels, new suppliers and contractors, for example, can be particularly vulnerable.

“Fraudsters will also target businesses during periods of change, so holiday periods are an obvious opportunity, and within individual sectors there can be times that businesses are more likely to experience fraudulent attempts,” says Chris.

Methods such as:

  • double-checking new or amended payment requests (even those from the CEO)
  • dual authentication of payments
  • confirming supplier requests to change bank details through a known contact
  • not relying on email as a secure correspondence method, and
  • independently authenticating payment details with new suppliers or new contract

are critical in building robust processes that reduce the likelihood of a fraud attempt being successful.

Building an open culture

“One of the reasons that impersonation fraud succeeds is due to the culture of a business. Whether that’s an employee being afraid to question an email from the CEO, or being worried about admitting to clicking on a dodgy link,” says Chris.

However, money moves incredibly quickly, so the sooner suspicions are raised or a malware breach notified, the greater a business’ chance of preventing an attack or getting their money back. To help that, says Chris, “business leaders need to foster a culture of openness, no blame and awareness.”

Tips to reduce your business’ risk of falling victim to fraud

  1. Verify everything – create processes where staff will check and refer requests to change beneficiaries or make out of the ordinary payments; a phone call to double-check can make all the difference.
  2. Make staff aware of the cybersecurity threat – and keep reminding them of the dangers of clicking on links or opening attachments in unexpected emails or those received from an unknown source.
  3. Put controls in place – for example, signatory limits, dual authentication.
  4. Take Five – if something doesn’t look or feel right, ensure staff won’t feel pressurised to act.
  5. Train and test – undertake a phishing exercise to test how your business responds.
  6. Don’t assume – just because email is commonplace, doesn’t mean it’s a secure form of communication. Always confirm payment details through a different secure channel.
  7. Keep up-to-date – reduce your risk of being hacked by keeping your anti-virus software and systems up-to-date.
  8. Ask for help – if you suspect fraud, contact your bank, police or Action Fraud immediately.

Report it

While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.

About the authors

Katy Worobec

Katy Worobec

UK Finance's Managing Director of Economic Crime

Chris Fawcett

Chris Fawcett

Fraud Risk Manager at Lloyds Banking Group

Related links

Important legal information

The products and services outlined on this site may be offered by legal entities from across Lloyds Banking Group, including Lloyds Bank plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc and Lloyds Bank Corporate Markets plc are separate legal entities within the Lloyds Banking Group.

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service. Please note that any data sent via e-mail is not secure and may be read by others.

Lloyds Bank is a trading name of Lloyds Bank plc, Bank of Scotland plc and Lloyds Bank Corporate Markets plc. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no.2065. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Lloyds Bank Corporate Markets plc. Registered office 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 10399850. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278, 169628 and 763256 respectively.

Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all business customers will be covered.

Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at

While all reasonable care has been taken to ensure that the information provided is correct, no liability is accepted by Lloyds Bank for any loss or damage caused to any person relying on any statement or omission. This is for information only and should not be relied upon as offering advice for any set of circumstances. Specific advice should always be sought in each instance.