9 Jul 2012

Simple scam reaps fraudsters millions

Public bodies like councils and NHS trusts are falling prey to a new crime known as mandate fraud – and now it is spreading. For Channel 4 News, Sarah Smith has this exclusive investigation.

At the start of this year a brand new crime was created. Criminals are always looking for fresh ways to make some easy cash. Only very occasionally does one become so prevalent that the police need to create an entirely new crime category to track it.

In January 2012 they did just that. They officially acknowledged the crime of “mandate fraud”.

So what is mandate fraud? It’s a crime so simple it’s hard to imagine anyone gets away with it. But they do, every day, and public bodies and private companies alike are being taken for millions of pounds.

The fraudsters contact their target, saying they’re calling from a company that holds a contract with them. They’ll introduce themselves as the new accounts manager at that company, and maybe give a new phone number.

Then the sting: they send a letter saying the company’s bank details have changed and all future payments need to go into a new account – which is actually controlled by the fraudster.


When the police catch up with the person who controls that bank account, they invariably discover they are just a “money mule” – someone who allowed their bank account details to be used in return for small cut.

By the time the “mule” is under arrest, the vast bulk of the funds has usually been transferred into a maze of untraceable accounts, accessible to the real criminal masterminds.

There’s clear evidence that fraudsters simply look up online what companies these bodies make regular payments to, and use that information to steal large sums of money.

Public bodies have been particularly hard hit by mandate fraud – NHS trusts and local authorities were early victims.

Government policy made it particularly easy for fraudsters to target public bodies, as they are obliged to publish online the details of their spending. The government call it the “transparency agenda” – but they could equally call it the fraudster’s charter.

There’s clear evidence that fraudsters simply look up online what companies these bodies make regular payments to, and use that information to steal large sums of money.

It seems too easy to be true – criminals walking away with hundreds of thousands of pounds just by sending in a letter or a fax asking for bank account details to be changed. To find out how it’s done I met up with Frageand Naseem.

He conned more than £8m out of several banks using a similar technique. He was released from prison in March.

Naseem explained to me how he would identify a target inside a company’s accounts department. He’d strike up a friendly relationship on the phone, calling to check on account details and asking for very minor changes, such as adding a new phone number.

Weeks later, he’d ask for a change of bank account details. By that time, his contact usually trusted him enough to make the change straight away. And if someone did enact any kind of security check, because he’d changed the phone number weeks earlier, they would end up calling him – and he’d simply confirm the fraudulent request.

Embarrassingly simple

Naseem says he now deeply regrets his crime and wants to prevent fraud of this type happening again. But he says most companies will have to devise much stricter security protocols if they are to avoid being conned in this embarrassingly simple way.

The more people know about this crime the less likely they are to fall for it. NHS Protect have spread the word and now believe criminals are finding it harder to scam health service targets. So, as the public sector wises up, the con men are moving on, widening their net to include thousands of private businesses.

DI Simon Russen of the City of London police‘s task force showed me an astonishing file full of details of all the mandate fraud victims he has found in the first six months of this year. As well as hospitals and local authorities there are universities, supermarkets, a hotel chain, property developers and communications companies. No one is safe from mandate fraud these days.

Over £150m has been paid out to fraudsters using this simple technique this year alone.

And new attempts are being made daily. Yet it is a preventable crime that requires firms and public bodies to take just a few simple precautions.

How to spot, prevent - and report - mandate fraud
Recovery of funds can be difficult, so the only sure way to prevent loss to mandate fraud is to detect an attempt before any funds are transferred. As highlighted in our report, it can be small details that give the game away - a logo that is not quite the right colour, an email that uses a different address format, even a different type of paper used for a letter. On the phone, a person being too pushy, or asking for information that they should know or which is irrelevant (such as the date of last payment), should all set alarm bells ringing.

Be extra vigilant at times of short staffing, such as holidays, or busy periods, such as the end of the calendar and financial years. Some experts advise requiring more than one person to sign-off on change of bank details authorisations.

DI Simon Russen of City of London Police says: "Carefully check all correspondence that you receive to make sure it is genuine, and when asked to perform a task, always verify the information first from your own file contact numbers, not by using the contact numbers given in the letter or email. Think possible fraud in everything that you do."

Convicted conman Frageand Naseem says the security measure he found hardest to get round was a shared-code system, whereby all high-level requests need to be identified as genuine by use of a one-time code from a list held by both the company and the contractor.

How to report

For a company: report it to Action Fraud on 0300 123 20 40 and visit www.actionfraud.org.uk.

For an NHS trust: call the NHS Fraud and Corruption Reporting Line on 0800 028 40 60 or report online at reportnhsfraud.nhs.uk You can also contact your NHS Local Counter Fraud specialist via the trust’s main switchboard or finance department. For more information on NHS Protect, visit nhsprotect.nhs.uk.

For local authorities and linked organisation (eg. universities, housing associations, etc): contact NAFN on 01273 291 322 and report fraud here.

Also, immediately inform your bank, as early reporting has in some cases enabled the recovery of funds and always assists investigators.

Even failed attempts should be reported, to enable investigators to build up a full picture of criminal activity around mandate fraud.