Nearly a quarter (24%) of businesses across the UK experienced payment diversion fraud in 2022 according to data from the Hiscox Cyber Readiness Report*.
Payment diversion fraud (PDF) involves cyber criminals posing as a trusted supplier and manipulating individuals within the business to make a false bank transfer or other payment. In 2022, the average cost of a claim for customers requiring help (following an attempted or successful PDF attack) was £15,484**. These claims tended to be more prevalent in May and November, as businesses either prepared for a busy summer or festive season.
A total of 982 UK businesses were surveyed for the report, which found that for this type of fraud, company size is not a discriminating factor. Criminals are more interested in businesses suffering from weakened IT systems or otherwise rely on human error, with the latter being the most common reason for a business falling victim to this type of scam.
Alana Muir, Head of Cyber – Hiscox UK, said: “Payment diversion fraud is the gift that keeps on giving for cyber criminals and can pose a significant threat to any business. Most attacks happen because businesses fail to carry out basic checks before making a payment – it’s human error and often avoidable. Attacks of this nature could leave businesses significantly out of pocket or even worse, bankrupt.”
Steps to take to prevent PDF
- Make a test payment to the payee and check they receive the money before transferring a large sum.
- Take time to check a change of bank details notification – it may not be genuine. Contact the payee on the number you know is correct to confirm their details have changed.
- Carry out regular training to remind employees what to look out for when making payments, and the steps they should take to ensure due diligence.
- Change passwords on a regular basis and make them complicated so that they are not easily identifiable. Use Multi Factor Authentication to help accounts, such as email, from being compromised.
- Adopt a four eyes approach – dual signatories for payments over a certain amount.
- Carry out regular checks on IT equipment to ensure there are no weaknesses in the systems.
- If you are in doubt about the transaction, don’t hand over the money.
- If you realise it is a scam, contact your bank immediately.
In 2017, Hiscox introduced the CyberClear Academy which has trained almost 36,000 individuals from 7,000 organisations. Training helps identify specific knowledge gaps in their systems that could lead to a cyber attack and is carried out through a mix of videos and interactive materials.
* The Hiscox Cyber Readiness Report 2023 was compiled in collaboration with Forrester Consulting. It is based on a survey of 5,005 executives, departmental heads, IT managers and other key professionals, from across the USA, UK, Germany, France, Spain, Netherlands, Belgium and Ireland. Drawn from a representative sample of organisations by size and sector, these are the people on the front line of the business battle against cyber crime. Respondents completed the online survey between 9th January 2023 and 2nd February 2023. The full Hiscox Cyber Readiness Report 2023 will be available from September.
** Based on Hiscox UK claims data for 2022.
