Cultivating a culture of questioning to fight fraud

What is APP fraud?

Cyber-crime is invasive; it sneaks into our homes, infiltrates our offices and seeps into our mobile devices – leaving victims embarrassed; vulnerable; devastated, and it is now the most common crime in our country.

Authorised Push Payments (APP) is a type of cyber fraud where people are scammed into paying money to criminals, believing that it is a legitimate payment. According to Tide (August 2018) in 2017 alone, there were close to 44,000 reported cases of APP fraud, costing small businesses over £236 million.

At present, there is no remedial action; unlike other types of financial fraud, banks and financial institutions cannot always retrieve the money and they do not have to reimburse APP fraud victims.

Why is this? Because, the full blame and responsibility lies with the person who authorised the payment, in fact, only a quarter of the 44,000 reported cases were refunded by financial services firms.

Honestly – it happened to us

I have been running Pillow May for 10 years, we have had ups and downs, but I have never felt as devastated as I did when I realised we were APP fraud victims.

I was just getting onto a boat in Vienna to travel to Bratislava for the first part of my Summer holiday with my family when I received the call that we all dread.  It was from one of my team members alerting me that they had discovered a cyber fraud that morning. To make it worse the fraudulent payments we had authorised, were on behalf of one of our clients – we were the vulnerable link.

After investigation, it became clear that although the original cause of the fraud was hacking of our client’s email system, it was only successful due to weak systems at Pillow May. As is the case with most reported APP frauds – the bank was unable to offer the client any monetary compensation for the crime.

The aftermath

Thankfully there was a financial reimbursement for our client but what about the things you cannot rectify financially.

Our client has been extremely generous and shared time with us to help us improve our systems.  We explored exactly what went wrong and then discussed together how the system could be improved.

It was clear to me that to move forward we needed to draw some positive learnings from this incident. I took a long hard look at our internal processes, our security policies, the extent of our cyber insurance coverage and our business culture.

My cyber-attack learnings

1. Ensure your business has adequate insurance and security

Since the attack we have now taken out cyber liability insurance which covers fraudulent payments. Whilst we were covered at the time under our professional indemnity insurance, if the fraudulent supplier payments had belonged to Pillow May then we would not have been covered.

The insurers gave us a list of security measures to introduce into our practice such as changing our main passwords every 90 days.

2. Educate and train your staff

Make it your whole company culture to be aware and vigilant for cyber fraud. Anyone who can authorise or make payments for your company or on behalf of your clients should be trained.

We ran a bookkeeping team training session where we explored in detail exactly what had gone wrong and discussed how to prevent it happening again, such as understanding the nature of every transaction to ensure it is line with our clients’ normal business dealings, and the danger of over reliance on email.

3. Do not be afraid to question

This leads me on to perhaps the biggest lesson for us, not being afraid to question. If any payments flag up warnings; such as a larger than normal amount, a new supplier or a new bank account, never be afraid to pick up the phone for verification. A quick call to your client or the supplier using historic contact information can easily confirm legitimacy.

Unfortunately, the APP fraud we fell victim too was very sophisticated as they used genuine historic client data but sometimes there are obvious spelling or grammar errors that you can spot, so encourage your staff to be vigilant for invoice/ email errors as a warning flag too.

4. Examine your internal systems and policies

Being victim to a cyber-attack is largely out of your control but how you react to what has happened can turn the experience into something positive, such as the cause to examine your own internal systems. We did just this and subsequently have introduced additional security checks, rules and updates, and a new bookkeeping engagement document.

One of the most important changes we have implemented is dual bank authority for all bookkeeping clients and encouraged all our clients to do the same if they handle payments internally. This is not due to a lack of trust but to stop any one person ever becoming liable for paying out a fraudulent payment.

Two-step verification should be the case, regardless of the pay grade as CEO fraud regularly happens. You also need to consider how the bank authorisation will work during staff holidays.

Learn from us

I really hope that by sharing such specific details about our own experience of a cyber-attack, all our clients will consider what we have learnt and take steps within their own businesses to identify any cyber weaknesses. Sadly, I feel it is only a question of when you will be attacked, not if, but simple preventative steps like encouraging your staff to question out of the ordinary payments can be very effective or at least limit the financial scope of any attacks.

Please don’t t be offended if someone from Pillow May ever rings you up to check a payment in the future, we are just doing all we can to be extra vigilant against this ever increasing crime.


Share article
Share article

Latest news and articles

  • 07 June 2023

What is an associated company?

An associated company has a significant level of control or influence over another company, or both companies are ...

  • 25 March 2022

Spring Budget Summary 2024

It's not a particularly interesting budget with a few predicted giveaways since it’s an election year, but a few s...

  • 11 October 2020

The latest IR35 case law

If you are ever investigated by HMRC and employment status is found between your company and your end customer, th...