Invoice intercept scam deceives an engineering company

When a small business lost money in an invoice intercept scam, we questioned whether the bank involved could have done more to warn their customer and stop the payment.

What happened

An engineering company got an invoice from one of its regular suppliers by email. The email said that the supplier’s bank details had changed and that the company should send money to a new bank account.

As they were expecting an invoice from that supplier, and the email was written in the supplier’s usual style, the company made the payment to the new account.

At the time, the company’s bank wasn’t offering the ‘confirmation of payee’ service, which checks names and bank details for certain UK-based payments. So, when they made the payment, the company didn’t receive any warnings about the bank details.  

However, the bank did call the company, but only to ask whether they had intended to make the payment.

A week later, the genuine supplier contacted the company for payment and the scam came to light. Unknown to the supplier, their email server had been infiltrated by scammers who’d intercepted the invoice and altered the bank details.

What we said

The company was not a micro-enterprise so the transaction wasn’t covered by the CRM code. But we wanted to find out whether the bank could have spotted the scam and done more to prevent it.

Alerted by the size of the payment, the bank had called and spoken to the company director. She confirmed she was making a payment to a regular supplier and mentioned that the instruction to change the bank details had come by email.

Even so, the bank didn’t warn her about the possibility of invoice intercept scams or suggest she phone the supplier using a reliable phone number. This was a missed opportunity to prevent the scam.

We said that the bank could have explained how invoice intercept scams work and what steps the company could take to avoid them. That might have encouraged the director to call the supplier and verify the bank account change.

We also considered whether the company could have done something to prevent the fraud but we didn’t think so. The invoice came as expected and from the supplier’s genuine email address. There was nothing else that ought to have alerted the company of the scam. So, we didn’t think that the company acted unreasonably by making the payment.

We concluded that the bank should reimburse the company with interest.