Protecting yourself from payment diversion fraud 

Currencies Direct December 19th 2024 - 4 minute read

Keeping you and your money safe is our top priority, and we have stringent safeguarding measures in place to help protect all our customers. But there are also steps you need to take to protect yourself from fraud. 

To help you identify potential scams and stay safe, we’re publishing a series of articles on fraud protection. This article looks at recovery scams. This article focuses on payment diversion fraud, how it works, and how you can protect yourself. 

What is payment diversion fraud? 

Payment diversion fraud, also known interchangeably as PDF, is a scam where criminals trick victims into sending money to accounts they control. Using social engineering tactics, these fraudsters make their requests seem legitimate, often impersonating trusted suppliers, executives, or employees. They may also hack into email accounts to make their schemes more convincing. 

One common form of payment diversion fraud is CEO fraud, where a scammer pretends to be a company’s CEO or senior executive. They send urgent instructions to an employee, convincing them to transfer funds to an account controlled by the fraudster. 

Another method is invoice fraud, in which scammers impersonate legitimate suppliers. They send fake invoices with updated bank details, tricking businesses into redirecting payments to fraudulent accounts. 

Conveyancing fraud targets property transactions, with criminals intercepting emails between buyers, sellers, and solicitors. By posing as one of the parties, they redirect substantial payments meant for property purchases into their own accounts. 

Salary diversion fraud involves scammers pretending to be employees. They contact payroll departments, requesting changes to payment details, and reroute salaries to accounts under their control. 

These types of fraud capitalise on trust and urgency, exploiting operational processes to siphon funds from businesses and individuals. The consequences can be significant, often leading to financial loss and reputational damage. 

An example of payment diversion fraud 

Emma, the accounts manager at a small marketing firm called ‘Creative Solutions’, received an email that seemed to be from ‘Johnson Supplies’, one of the company’s regular suppliers. The email thanked Emma for the company’s business and included an invoice for recent services, along with updated bank account details due to a change in banking providers. 

Since the email appeared legitimate—complete with the supplier’s logo and the signature of their usual contact, Sarah—Emma processed the payment of £15,000. A week later, Johnson Supplies called to ask about the overdue payment. Only then did Emma realise the money had been sent to a fraudulent account. 

The fraudster had hacked into Sarah’s email account to send the fake invoice and intercept any replies. Despite reporting the incident to the bank and authorities, the funds couldn’t be recovered as they had already been moved through multiple accounts. 

This incident was a costly lesson for ‘Creative Solutions’ and highlighted the importance of verifying payment details, no matter how genuine an email might seem. 

Five tips on how to protect yourself from payment diversion fraud 

While payment diversion fraud is clever and convincing, you can take steps to reduce your risk: 

  1. Verify payment requests thoroughly 

Always take extra steps to confirm payment requests, especially if they involve changes to bank account details or seem urgent. Rather than relying on email alone, contact the requester using a trusted, independently verified phone number or other secure means of communication. 

Avoid responding directly to the email or message containing the request, as it may be from the scammer. This simple step can prevent fraudulent transactions and safeguard your funds. 

  1. Educate your team on scam prevention 

Ensure that all employees—particularly those in finance, payroll, or accounts payable—are aware of the latest fraud tactics and warning signs.  

Conduct regular training sessions that include real-life examples of fraud attempts and practical ways to handle them. Employees should feel comfortable questioning unusual requests, even if they appear to come from senior executives or trusted partners. Consider providing ongoing updates about emerging scams to keep awareness high. 

  1. Implement multi-factor authentication (MFA) 

Strengthen the security of your email accounts, payment systems, and other sensitive platforms by requiring MFA. This involves using two or more verification methods, such as a password and a one-time code sent to a mobile device or app.  

Even if a scammer gains access to a password, MFA makes it significantly harder for them to breach accounts, adding a critical layer of protection. 

  1. Strengthen internal payment processes 

Establish robust protocols for approving payments and changes to bank account details. For example, require multiple layers of approval for large transactions or updates to payment instructions, involving at least one senior manager.  

Use secure, standardised forms and systems for making such requests, and ensure all steps are documented. These measures reduce the risk of fraud by introducing additional checkpoints and accountability. 

  1. Monitor for and respond to unusual activity 

Regularly review system logs, email accounts, and financial systems for signs of unusual behaviour. This includes unfamiliar login attempts, unexpected email forwarding rules, or new devices accessing accounts. Use automated monitoring tools when possible to flag potential threats in real time.  

If suspicious activity is detected, take immediate action, such as disabling affected accounts and investigating the source of the breach, to mitigate potential damage. 

If someone targets you 

If you think you’re being targeted or have already fallen victim to payment diversion fraud, it’s important to act fast to limit the damage to your accounts. 

If you’ve lost money, report it to Action Fraud in the UK by calling 0300 123 2040 or using their online reporting tool. You can also report the incident to the Financial Conduct Authority (FCA). 

Let your bank or payment provider know what’s happened as soon as possible. They might be able to stop the payment or help recover your funds. 

Suspected scam emails can be sent to report@phishing.gov.uk while suspicious texts messages or WhatsApp’s can be reported by forward them to 7726. You can also report suspicious calls by texting the word “call” along with the suspicious number to 7726. 

For suspicious web pages, these can be reported to National Cyber Security Centre (NCSC). 

Taking these steps quickly can reduce further risks and improve your chances of recovering lost money. 

More information on payment diversion fraud 

The organisations listed above can also provide you with information to help you learn more about payment diversion fraud and how to protect yourself.  

However, you can also contact Victim Support, where you will be offered free, specialist assistance for anyone affected by fraud. 

Finally, we’re here to support you. If you have any concerns or questions about the security of your funds or need advice about a transfer, please don’t hesitate to get in touch with us. Your peace of mind is important to us, and we’re always happy to help. 

Written by
Currencies Direct

Select a topic: