Manchester: 0161 797 8123

London: 0207 438 2045


The latest industry news, articles and events

Unsecure Remote Working: Business Mandate Fraud

Business Mandate Fraud

With an influx of employees now working remotely from home, there are numerous cyber risks that companies need to take into consideration, including business mandate fraud.

What is business mandate fraud?

Business mandate fraud occurs when someone purporting to be from a genuine supplier that regular payments are made to contacts an organisation with a request to change a direct debit, standing order or bank transfer mandate. If the organisation accepts the fraudulent request, the payments are then diverted into the criminal’s bank account. The genuine supplier details are usually obtained from a range of sources including fraudulent staff, publicly available contracts, online logs of supplier contracts or the Dark Web.

With the majority of employees now working from home for the foreseeable future all precautions must be taken to secure networks, finances and data. Cybercriminals will attempt to exploit the current change in employee circumstances with phishing emails. Some will be obvious frauds, but some will not. Many fraudulent emails are crafted with an urgent tone, designed to shock an employee into complying with their seemingly legitimate demands. This is especially effective if it has been ‘sent by’ a senior manager or director and is referred to as CEO Fraud

This type of fraudulent activity affects organisations across all business sectors and with the current COVID-19 pandemic there has been an increase in multiple forms of phishing attempts under the guise of informative health information. These include tax refunds and ‘cures’, all of which are tempting clickable links to unassuming individuals.

Identifying business mandate fraud

Here are some fraudulent methods used to look out for:

  • A telephone call is received where the caller is urgently requesting a change to supplier’s bank account details (commonly known as social engineering).
  • An email request is received from an unknown email account that is not present on the company database.
  • An email is received where a minor adjustment has been made to the sender’s address details, giving the impression it is a genuine contact email address at an initial glance. For example, the genuine address is Johnsmith123 @ but the fraudulent email came from Johnsmith12 @mail .com. Employees should always check the authenticity of an email received from a supplier (e.g. the domain name) by using established supplier contact details already held on file.
  • A written request is received in the form of a letter or invoice that does not contain the supplier’s logo or the logo may be less sharp or slightly blurred (this would most likely be a scanned copy of an original document which has been counterfeited).

The National Cyber Security Centre (NCSC) has issued a similar warning about coronavirus-themed phishing attacks. Employees and organisations can implement certain procedures to help maintain productivity without increasing cybersecurity risks.

Secure Remote Working Tips:

  • Make sure all employees are aware and educated of these types of email phishing techniques, particularly finance departments.
  • Be cautious of emails of an urgent nature requesting bank transfers, even if they appear to have originated from someone within your organisation.
  • Independently verify any payment requests stating new or amended bank details.
  • Ensure your businesses IT infrastructure has appropriate cyber security measures in place, including up to date antivirus software.
  • Establish internal processes for the request and authorisation of all payments and be vigilant of any payment requests outside of standard processes.
  • Introduce two-factor authentication (2FA) across all payment processes and applications.

Dark Web Scanning

With the increase in phishing attempts, have your user credentials and passwords fallen victim to business mandate fraud? Perhaps now is a good time to find out what credentials may have been exposed and ensure all employees who are working remotely have up to date secure passwords that have not been leaked.

CYFOR’s Dark Web Monitoring solution detects compromised business credentials in real-time, notifying our experts immediately if your credentials have been compromised. This is before they can be exploited for fraud, identity theft, data breaches, or other criminal activities. Frequent scans and monitoring combined with other cyber security services such as Vulnerability Assessments can vastly improve the security posture of your organisation.

Cyber Incident Response

In the unfortunate event that your organisation falls foul of a phishing attempt or ransomware attack, CYFOR’s Cyber Incident Response team are on hand to assist you immediately. Our cyber security consultants combine digital forensic investigative and remediation expertise with leading technology to mitigate critical situations. The majority of our remediation expertise can be applied remotely ensuring your organisation gets back to operational effectiveness, quickly and efficiently.

Back to all Posts

Call us today and speak with a Forensic Specialist

London: 0207 438 2045

Manchester: 0161 797 8123

Send an enquiry to our experts

  • This field is for validation purposes and should be left unchanged.

After submitting an enquiry, a member of our team will be in touch with you as soon as possible

Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.