Businesses: 5 security reflexes before executing a transfer

Bank transfer fraud can have serious consequences for companies, which sometimes find themselves in liquidation after losing part or all of their cash flow. In 2020, the total loss amounted to 120 million euros for companies and public services, victims of 900 transfer order scams. Here are 5 security reflexes to adopt to avoid fraud.

1. Establish an internal procedure for transfers

To reduce the risk of fraud, it is essential to establish and formalize an internal procedure for executing transfers. Based on this procedure, training should then be given to company employees responsible for carrying out transfers. The document on which the procedure is detailed should be communicated to these people only.

The procedure must include a number of elements, starting with the list of persons authorized to execute transfers. For each of these persons, a maximum amount will be set, whether for transfers to France or to other countries. Authorized geographical zones must be defined in advance, and a maximum number of transactions per period must be set.

We strongly advise you to define the transfer order validation circuit in your procedure. A transfer should not be executed until it has been validated by at least two people. It is also necessary to establish a procedure to follow in the event of an unusual transaction.

Finally, allcompany employees must be made aware of the risk of fraud.

2. Be vigilant

Fraudulent transfer orders can take many forms. For example, it may involve identity theft, where the fraudster poses as an organization or authority, such as a bank or an auditor.

In some cases, the fraudster pretends that the transfer order has been issued by the company's director, after obtaining prior information about the company. There are also bank details frauds: the company receives a transfer order, supposedly from a supplier or its landlord, to a new IBAN under the pretext of a bank change.

Whatever the form of the attempted scam, it often has certain points in common which should raise the alarm, and lead to checks being carried out. Transfer requests are often urgent and confidential, and scammers don't hesitate to use intimidation or, on the contrary, empathy.

Transfer requests are often sent on a Friday or the day before a public holiday, which reinforces the urgency of the situation and limits the risk of checks.

Checks should be carried out if there is the slightest doubt, particularly when the so-called manager asks to bypass the procedure in complete secrecy, or when the supplier or landlord claims to have changed their bank details. It is necessary to call the person who is supposed to have sent the e-mail or letter, using the contact details in the company's internal files.

3. Restrict public information about the company

To prevent crooks from gaining access to too much information about the company, making it easy for them to pass themselves off as employees or managers, it is important to keep control of the information that is accessible to everyone.

For example, it is preferable not to include a detailed organization chart on the company website. The identity of those responsible for making transfers should not be divulged.

Care must be taken when providing information about the company, whether in trade directories, the press, on the website or in the company register.

And it's not only outgoing information that needs to be checked. It's also important to keep abreast of new forms of fraud, as fraudsters are constantly changing.

4. Reduce the risk of piracy

The company's IT system must be perfectly secure to minimize the risk of piracy. All computers must be equipped with anti-virus software, with updates carried out as soon as necessary, and new software must not be allowed to be installed without supervision and control.

It is essential that employees avoid certain dangerous practices, such as opening attachments from unknown senders. The best way to do this is to draw up an IT charter, which defines the right reflexes to adopt.

Access to remote banking services must be particularly secure. Access codes must not be communicated to all employees, but only to those in charge of making transfers. These codes must be complex and changed frequently.


5. Notify the bank and the police in the event of fraud

If the fraudulent transfer has been carried out, it is essential to notify both the bank and the police immediately. The bank will look for ways to recover the money, while the police will investigate once a complaint has been filed.