The new breed of scams targeting the Crown Dependencies

Your finance team receives an email instruction from their client’s genuine email address, requesting that $668k is transferred to a known and existing beneficiary. Two minutes later, a further email is received, requesting a change in the amount (to £250k) and a change in beneficiary details. What happens next?

This real-life example wasn’t the first time this business had been targeted. Only the previous year, the company had been the victim of a £400k invoice fraud scam. As a result, processes and procedures had been tightened and employees trained, which meant that this time, they knew what to do.

Suspicious of the email requests, the finance team contacted the client by telephone, using a known number, to verify the instruction. It transpired that, although the original request had been genuine, the subsequent change wasn’t. The client’s email had been compromised, but the funds were not sent, and the invoice fraud was prevented.

It’s not just businesses that face scamming threats such as these. Fraudsters will target individuals, too. Just last year, people in the Channel Islands were warned to be on their guard from scammers targeting wealthy individuals by befriending them and luring them into parting with their money – resulting in losses of £350,000.

The scale of the threat

Scams like these are increasingly common. Ben Poxon, Principal, Head of Economic Crime Information at UK Finance says: “Fraud is a moving target, as fast as we plug one hole, another one emerges. For example, unauthorised fraud used to be a big problem, but advances such as chip and pin technology have made that type of fraud much more difficult.

What’s become clear to the criminals is that the easier way to commit fraud is through scams, whereby the fraudsters convince people to send funds themselves, so categories such as invoice fraud, investment and romance scams are more attractive to them.”

Our own figures for 2019 from the Crown Dependencies show that there were 92 scams attempted, targeting £1.6m¹. Across the UK as a whole £1.2bn was lost through frauds and scams in 2018, with losses across payment cards, remote banking and cheques rising by 16% compared to 2017².

This rise of invoice fraud and other ‘social engineering scams’, where fraudsters manipulate victims or breach security systems to gather confidential information, also marks a shift of focus among scammers. That shift is seeing criminals move away from targeting banks and other big financial organisations, to attacking individuals and businesses instead – not least in the Crown Dependencies.

“Since 2018, we have seen a real shift and these types of scams are now one of the greatest threats on-island,” explains Emma Qualtrough, Deputy Chair of the Isle of Man Bankers Association Fraud Forum, and Assistant VP – Fraud & Transaction Monitoring Manager at Barclays. “As banks have become better at preventing and identifying fraud, the scammers have become very clever at targeting customers directly, seeing them as a weak link and the potential to secure greater returns.”

Common scams affecting the Crown Dependencies

According to UK Finance, social engineering scams were one of the biggest contributors to the rise in the theft of personal and financial data in 2018². The scams operate in different ways depending on whether the targets are individuals or businesses.

Across the Crown Dependencies, invoice fraud and business email compromise are increasingly common scams targeting businesses, whilst investment scams – whereby victims are encouraged to put money into fake or corrupt investment products – and romance scams, where scammers build relationships with their victims to extort money from them, are increasingly being used to defraud individuals, Emma points out.

Many of these scams are initiated through phishing, vishing or smishing attacks, targeting potential victims through email, telephone and text messages respectively.

“We’re seeing the scammers use increasingly sophisticated methods to target people on-island,” Emma adds. “In the early days, the majority of scammers would claim to be from UK-based companies, calling people up and claiming to be offering a refund. That would require the disclosure of bank account details, which would then be used to defraud the victims. Today, however, scammers are more likely to claim they’re from local companies, such as local utilities. That makes the call seem much more plausible and genuine to the recipient.”

The recent Manx Telecom case is a good example. In this case, several Isle of Man residents were contacted by people claiming to be from the company (the primary provider of broadband and telecommunications on the Isle of Man), attempting to obtain personal and account details. Such was the scale of the threat, the Isle of Man police sent out warnings and guidance to residents.

Reducing your risk

Given the growing threat the scammers pose, raising awareness of the methods they use and how individuals and businesses can protect themselves is high on the agenda across the Crown Dependencies. “It’s an industry-wide issue facing our communities, so we’re working collaboratively with local on-island government bodies such as the States of Jersey’s Cyber Security Task Force and the Isle of Man Office of Cyber Security and Information Assurance, and with other banks to tackle it, explains Emma.

Emma continues, “That includes working closely with businesses to help them develop robust frameworks, policies and procedures and encouraging them to disseminate training throughout their organisations. At an individual level, identifying new scams and communicating that through radio and social media, and targeting education at specific audiences is crucial.”

Collaboration is also key to addressing one of the threats Emma has seen increasing over the past 18 months. “Scammers are adept at finding and exploiting weaknesses,” she points out.

“So, whilst many of our corporate clients have invested time and money in training their staff and improving processes to identify frauds and scams, the scammers are now targeting their clients and/or suppliers, who may not understand the risk and have therefore not invested in reducing it. Many of the invoice fraud and business email compromise cases we’re seeing are through this route, so encouraging businesses to collaborate with each other to discuss and address the threat is key.”

Talking about scams is the first step in tackling the threat, particularly as figures point to only 5% of victims reporting that they have been scammed⁴. Whilst embarrassment or fear of reputational loss can stop victims from speaking out, reporting it can help build a picture of the scale of the threat, the nature of the threat landscape and potentially aid in the tracing and recovery of funds.

Ben says that the evolution of Best Practice Standards across the UK Finance industry as well as the launch of a voluntary code to promote the reimbursement of victims of scams who are clearly not at fault, is encouraging more people to report it. “It becomes a virtuous circle,” he points out.

“As more people report scams, we’re able to track and repatriate funds much more easily, but also as more people step forward and admit to being scammed, it’s obvious that it effects everyone from all walks of life. We’ve seen celebrities, high court judges, GPs scammed and making the news – and that reduces the embarrassment people often feel at speaking up.”

Emma agrees: “Because scams rely on individuals being persuaded to take action, for example, sending money or disclosing account information, preventing it also relies on individuals taking action to speak up, understand and protect themselves and their businesses.”

For more information about fraud, scams and cyber security, speak to our on-island team, or visit our Fraud awareness hub.