| Internet
banking risk for businesses The Ombudsman for Banking Services (OBS) issued a warning to the owners of businesses regarding the authorising of payments using internet banking facilities. Employees of businesses tasked with doing the financial accounting for the business are often able to arrange for payments to be made to themselves by substituting their own account number for that of the actual creditor on the internet banking payment template. When authorising the payment, the business owner only looks at the name of the beneficiary and assumes that the payment will be made correctly. The banks’ internet payment systems use only the account number for transfers. No cross verification can be done to ensure that the account number entered is that of the stated beneficiary. The fraudsters usually hide the bogus payments amongst the many transactions that take place every month to ensure that the use of the same account number is not noticed by the person authorising the payments. According to OBS Manager of Investigations, John Simpson, the OBS has received complaints from several business owners who have been defrauded of thousands of rand in this manner. It is understood that that the losses to businesses could run into millions. Fraudsters who operate in this manner appear to be able to gain employment with one business after the other and continue to use this method of theft. It is very important that business owners scrutinise every internet payment carefully to ensure that the account number entered is that of the person they wish to pay. The onus remains on the business account holder to ensure that it has adequate measures in place to protect itself against fraud of this nature. The bank can further be requested to provide advice on the best system configuration to minimise the risk. The banks have informed the OBS that account numbers and names cannot be cross verified at this time, mainly due to the fact that banks do not have access to each other’s client lists. Even if they had access, there may be differences between the name under which the account was opened and the name used by the business in trading. If the name entered did not match exactly or a simple spelling mistake was made, the payment would be rejected. It is likely that the majority of internet payments would therefore be rejected, which would make the system impractical. The OBS is currently working on a project with the banking industry to try and resolve this problem. Case summary A professional business partnership in Bloemfontein employed a financial consultant to manage its financial affairs. The consultant advised the business to apply for internet banking facilities to make the administration easier. The consultant was then authorised by the partners to create payment templates for creditors. Only the final payment had to be authorised on the system by the partner using a password. The consultant created a number of payment templates that appeared to be for normal creditors of the partnership. The partners only looked at the name of the beneficiary and then authorised payment. What they did not realise was that the consultant had changed the account number on the payment template to his own account number. All the payments were then made to the consultant’s personal account. The consultant did this approximately four times a month over a period of eleven months resulting in a loss of R124 000. The partnership suspects that close to R500 000 was stolen in this manner but has been unable to prove it as yet. The partnership received information that the consultant may have stolen millions of rand in this manner from other businesses. The matter was reported to the police’s commercial branch for investigation, which is still ongoing. |