Boss hits out at banks over loophole which led to £16,000 fraud loss
PUBLISHED: 09:06 09 August 2017 | UPDATED: 10:07 09 August 2017
ARCHANT EASTERN DAILY PRESS (01603) 772434
The boss of an award-winning Norfolk business is warning others of a weakness in the banking system which saw him lose more than £16,000 to scammers.
Fraudsters intercepted invoicing emails from a supplier, before telling staff at Attleborough-based Finn Geotherm to update their payment details, then emptied the account once the cash had been transferred.
Now commercial director Guy Ransom is speaking out about the experience as he campaigns for banks to tighten security checks and close a loophole he says plays “into the hands of the scammers”.
He wants banks to check the account name of a payee as closely as they do the account number and sort code - a “triple-check” which would have stopped Finn Geotherm’s payment ending up in the fraudsters’ account.
“Our payment had been made to the changed account number and sort code that we had stipulated, but these did not match the account name,” he said.
“By the time the scam had been discovered – only a few hours after payment – the account had been closed and the money withdrawn.”
Finn Geotherm’s bank HSBC said it had “every sympathy” for Mr Ransom but would not be refunding the money because the company authorised the payment.
Mr Ransom said staff who sent the money had felt “violated” when they realised they had been duped, and said the loss had dented the company’s cashflow, though it would recover.
“Internet fraud represents a huge cost to individuals and businesses in the UK. Banks pay lip service to the concept of reducing it. In reality, however, the policy of not verifying accounts against account names plays totally into the hands of the scammers,” he said.
The company has raised a complaint with the ombudsman and will be meeting MP George Freeman to discuss the issue.
An HSBC spokesman said: “We have every sympathy for Mr Ransom but unfortunately because Geotherm Finn authorised the payments they were processed. We contacted the receiving bank as soon as we were notified it was a scam but would advise customers to check bank details carefully particularly where bank details are changed.”
Finn Geotherm installs renewable heating systems and won the Rural Enterprise category at the EDP Business Awards 2016.
How did the scam work? And how can it be stopped?
Hackers intercepted emails between Finn Geotherm and its supplier, sending the Attleborough-based company a note saying that the supplier was updating its account details.
They then sent a new account number and sort code but, to maintain the illusion they were the same supplier, kept the account name the same.
Within hours of the misdirected payment of £16,156 being made, the real supplier got in touch to ask if the money was on its way – revealing that someone had been interfering.
When the scammers’ account was traced, it was found to have a different name.
Mr Ransom believes that making banks check all three identifiers will discourage fraudsters.
UK Finance, which represents more than 300 leading financial firms, said a system was being developed for account names to be checked, but would not be available until next year.
Mr Ransom said: “Registering a bank account requires multiple forms of ID. These can be forged, but forging is relatively expensive. If a new ID set is required for each potential scam target, costs would be significant.”
Without the name check, scammers can target multiple victims, then withdraw the money and close the account when they snare one.
“Banks need to be forced to make this three-way check,” added Mr Ransom.
“Until this is done, scammers will continue to find targeting victims relatively easy. As the banks consider they have no liability to such victims, the victims will be left to carry the cost.”