Management Information Sheet

We need to make you aware of details of other Local Authority of several bank mandate related frauds, and information needs to be shared to mitigate the risk and raise vigilance.

1. The fraudster hacked into the email account of a member of staff from 'Achieve Together' finance team. They attached previous invoices stating they thought these hadn't been paid yet (they had) as a method of gaining trust with 2 members of the Adult Services finance/contract management team and to enter correspondence with them. Then they stated their bank account was being audited so needed next payment in a different bank account and asking when this would be made. Contract manager gave the amount and date of next invoice to be paid (which was 2 weeks away). Fraudster then sent several email stating how they were struggling and needed the payment urgently in advance as their expenses had increased etc. Contract manager initially approved and sent the request to our Corporate Payments Team to change the bank account details. The normal process is then for Payments Team to ring the supplier on a previously known number to validate, but they asked the contract manager if they had confirmed it to which they said yes see attached emails. Due to the poor English being used and the attachment with bank details the logo looked blurry the Payments Team flagged to me as suspicious. I could tell straight away from correspondence it was a fraudster and spoke to the contract manager who hadn’t rang the supplier and so she did so and confirmed it was not valid. Achieve Together's IT found the email account had been hacked and looked like emails from suffolk.gov.uk diverted. I believe they provide services in other Counties too so I advised that they email all their customers to tell them they might be targeted. I reported to Action Fraud and rang the bank the fraudster was using so they could close that account which is what I normally do.
2. We had a fraudster hack into the email account of a member of staff from 'East Coast Community Healthcare' finance team. I believe they only operate in Suffolk and Norfolk. This time they emailed the Corporate Finance Team directly who spotted it early on as again English was poor and the attached letter with the request looked vey poor cut and paste job. However, the fraudster was quoting an invoice number that was on our system waiting to be receipted and then paid which would have made it quite convincing if it wasn’t for the very poor English. Again their IT Team confirmed that email account had been hacked.

Things to think about to reduce the risk

Validate all requests for bank account changes using established contact details:

• Never use any of the contact details contained within letters/emails received.
• Do not communicate via email or reply to any email received. Use your contacts list (or search for the number using the internet /phone book) to call a known contact within the organisation in order to validate the request.
• Never treat a letter/email request to change bank supplier bank details as genuine until the above steps have been completed.