Signatory fraud in a digital age

The signatory problem

It’s almost a misnomer to call it ‘signatory’ fraud, in a digitised workplace it’s not the signature that counts, it’s more of identity fraud, and impersonation fraud.

Let’s look at this interesting modern phenomenon and check out a few case studies, including a few companies and organisations that really should’ve known better.

Case study one:

Prep school loses £240,000.

“Independent prep school Kingshott fell prey to fraudsters pretending to represent Ashe Construction, which has been working at the Stevenage Road school in recent months. The school cut the ribbon on its new Robinson building last month – the project has provided new classrooms, purpose-built music, art, food technology and science rooms, as well as changing rooms and a performing arts studio. But the tricksters mocked up a fake letterhead and got in touch with the school to ‘inform them of a change in banking details...The school processed the false information and sent a payment of £240,000.” (Source here)

It’s easy to imagine an independent country school, publicly transparent regarding its new building developments, and generally trusting in attitude, falling for this. One would be surprised if many schools have robust systems in place for identifying this kind of fraud attempt and the persons responsible for making payments are unlikely to be as aware of the risks as perhaps those in a more commercial environment.

Case study two:

Google and Facebook have confirmed that they fell victim to an alleged $100m (£77m) scam. It was reported that a Lithuanian man has been charged over an email ‘Phishing attack’ against "two US-based internet companies" that were not named at the time. They had allegedly been tricked into wiring more than $100m to the alleged scammer's bank accounts. On 27 April, Fortune reported the victims were Facebook and Google... (Source here)

This must have been a highly technical and very brazen individual to consider and accomplish an attack against two of the world’s most powerful and effective tech companies. We understand they were very active in tracking down the individual accused and cooperated with each other in order to do so. Facebook and Google probably have more technical and security experts at their disposal than all the police forces of the world combined. They are both highly effective at denying the continuous digital attacks against their companies, and yet in this instance, the weak point was the human element, the Achilles heel of any digital system. One suspects they had all their focus on preventing cyber attacks against their systems, platforms, and networks, and preventing data breaches, and somehow left a gap in the administration systems to enable repeated frauds against them. It’s unlikely to happen twice.

Case study three:

Italian football club Lazio has reportedly been scammed out of €2 million by email fraudsters claiming to be a team negotiating the transfer of a player (Source here).

Fraudsters impersonated the transfer agents and directed payments accordingly, using compromised email accounts. Phishing attacks, where malware is inadvertently downloaded by employees, we probably used for this purpose. All it takes is for someone in admin to take their eye off the ball. Red card.

Case study four:

“Hackers are stealing large sums of money from art galleries and their clients using a straightforward email deception. The Art Newspaper has so far identified nine galleries or individuals targeted by this scam. “We know a number of galleries that have been affected. The sums lost by them or their clients range from £10,000 to £1m,” says the insurance broker Adam Prideaux of Hallett Independent. “I suspect the problem is a lot worse than we imagine.” (Source here)

Art galleries can make a sale, by email, without ever seeing the client. Values can be in the thousands, or hundreds of thousands, upwards. Gallery owners may have a better understanding of art than they do of cybercrime. In this instance, again, fraudsters had compromised email accounts and were monitoring sales. When the gallery sent a PDF invoice to a client, the fraudsters would quickly move in, emailing the client a second invoice, with their bank details, and asking them to disregard the first one. The client then pays the invoice and loses the money. The gallery loses the sale, and also the client, one would expect.

Conclusion

In all of these instances, the common factor is the fraudster impersonating a company, or an individual within a company. They then intervene between the two parties and attempt to intercept payments.

The amounts tend to be very significant. Hundreds of thousands. In the instance of Google and Facebook frauds, invoices for suppliers may run into millions.

The size of the companies ranges from one-person galleries to the biggest tech giants on Earth.

Alex Walton, COO of Cygnetise, adds:

“Signatory list fraud does not have to involve someone mimicking your physical signature. In big organisations where certain functions are managed centrally (e.g. timesheets) then the requisite checks of authority are not taken and there’s an assumption of trust, which is a normal and necessary part of doing business. Mandate fraud can happen in any financial transaction, civil, commercial, or Government. It can occur when an email account has been compromised, or even just by posted or even faxed communications.”

It can be almost impossible to recover stolen money. So how to prevent this from happening?