A travel industry anti-fraud group has warned of a new form of cybercrime threatening the sector.
Three companies, including a national business, have been recent targets of ‘payment request’ fraud, with one losing an entire season’s profits in a single transaction.
However, industry anti-fraud group Profit warns the scam, which first came to light last year, is likely to be much more widespread with many travel firms failing to report incidents.
A typical fraud attempt involves an email to the finance or HR department which appears to be from a senior member of staff and requests a payment be made on behalf of the business.
The staff member whose email address has been used for the fraud is typically out of the office when the request is sent.
One Sheffield-based travel company lost £15,000 from the scam earlier this month. Its joint managing director, who asked to remain anonymous, received an email from her counterpart saying they needed a payment to be carried out and asked what details they should send over.
She said: “The email address was the same and it was a totally normal question to ask so I didn’t think anything of it.
“The request came back asking to transfer £14,850 to a particular person with their bank details.
“When I spoke to them [my colleague] later over the phone, I asked what the payment was for and they asked ‘what payment?’”
The company reported the scam to the police and to Profit. It’s still waiting to hear from its bank whether it will recover the funds.
Profit chairman Barry Gooch said two other travel companies, one of which has been targeted three times, managed to avoid falling for the scam.
He said: “This scam is particularly nasty because it looks like it’s internal so it’s very easy to fall for. It could severely damage travel companies and even take them under, especially as a lot are small businesses.”
Gooch said perpetrators carry out ‘phishing’ attacks or scrape email addresses then ring a targeted company to check who is in the office.
Profit is urging companies to make staff aware of the fraud and remind them not to open suspicious emails which could allow a phishing attack.
Companies should also ensure virus protection is up to date and make sure staff check before paying out-of-the-ordinary requests by speaking to the person concerned on the phone or face to face.
How the scam works
• The email recipient will be someone who normally makes payments on behalf of the business, eg the financial controller.
• The email requesting a payment be made will be from a plausible source, such as the head of sales.
• The sender is likely to be out of the office when the request is sent.
• The scam email request is likely to contain: the recipient’s name, address and account number; the payment amount; the recipient’s bank name, address, sort code and reference number.
• If you are a victim, contact your bank, report it to the police through Action Fraud and inform Profit.