In a series of blogs, Andrew Little of Hill Dickinson LLP looks at some practical guidance to avoid issues with rogue suppliers, bad contracting practices and fraud aimed at public sector bodies (PSBs). Andrew presented on this topic at the NDPB Lawyers’ Group training day in June 2015. In the third in the series, Andrew looks at issues around external fraud in the public sector.
Fraud continues to be a significant issue in all sectors of the economy, but it arguably has its biggest impact in the public sector. Whilst visible crimes like burglary and robbery are falling year-on-year, the reality is that many criminals are simply turning their attention to less detectable and more lucrative forms of crime. For example, the latest reliable estimates put fraud in the NHS at £3 billion pounds each year. In other areas of the public sector, whilst the monetary totals may be less eye-watering, the relative incidence of fraud is likely to be similar. In an era of austerity and reduced budgets all organisations should be seeking to cut the cost of criminality before they cut services.
Why the public sector is a target
Whilst it may not feel like it for those trying to make budgets balance, PSBs are perceived by fraudsters to have very deep pockets. Huge sums of money move through the public sector and fraudsters view large public organisations as ideal targets.
All public bodies have a responsibility to protect public funds. Where a public body finds itself the victim of a fraud, the employee who has been duped and even the management who then have to deal with it are often reluctant to publicise the fact. This has the dual effect of both allowing fraudsters to escape prosecution and preventing the dissemination of information about successful frauds to other organisations, before they themselves fall victim.
The sting
Targeted mail and email fraud is far more lucrative and prevalent than might be imagined. Many of the frauds being perpetrated today are much more plausible and sophisticated than the emails received by many on a daily basis to personal email accounts from overseas royalty looking to transfer cash to a UK bank account or notifying you of a legacy from a long-lost aunt that will be paid to you immediately upon receipt of your bank account details.
Experts in the sector believe the true extent of email fraud is massively unreported, particularly in the case of low value frauds. Many organisations may not even realise they have been defrauded for the simple reason that, even if an individual employee realises that they have been duped for a relatively small sum, they may not be motivated to draw management attention to the fact. A head-in-the-sand, “who will notice?” approach.
To use a common example, most people may recall the company Powwow water. The company was a legitimate business and a massive player in the UK office drinking water market. At its height, it held a substantial market share in both the public and private sectors. However, it went into administration in 2010.
For several years since the administration, fraudsters have been using the Powwow name to chase imaginary low value debts from private companies and PSBs. The operation is sophisticated but simple; an accounts team will receive a demand from a legitimate-looking debt collection agency purporting to act on behalf of the administrator, a reputable big four accountant. There is a number you can call and a professional website. Someone will answer your call and provide further details about the debt.
Many accounts departments might just authorise payment of a few hundred pounds without a second thought. A more thorough employee might check if the organisation ever received water from Powwow. Given their market domination, the chances are that it may well have done so at some point in the past. However, the whole operation is a well-conceived and professionally executed fraud.
While an organisation might not think that losing out on a few hundred pounds is the end of the world, it will now find itself squarely on the top of the fraudsters’ lists as a prime target for future scams. An employee who hasn’t been as diligent as they might be will be carefully noted and targeted again, often for more significant sums now that a weak link has been identified. With invoice scams of this type, paying one can lend legitimacy to continuing false invoices, increasing liability.
Another example that treads the line of legitimacy is the practice of exploiting trademark or patent holders. Whilst trademarks/patents are not a common concern in the public sector, this operation highlights the risk that seemingly innocuous postal and email communications can mislead junior staff into allowing money to walk out the door.
An organisation will receive official-looking correspondence from the “Trademark Office” or the “Patent & Trademark Offices” or similar, that seem for all the world to require immediate payment in order to protect legal rights. In reality, these companies offer a generic trademark monitoring service which has absolutely nothing to do with the UK Intellectual Property Office.
The Advertising Standards Agency has made a ruling against these organisations and directed that the layout of the mailings are amended to ensure it did not imply it was official correspondence from a company affiliated with the Intellectual Property Office.
Inevitably though, as soon as one misleading activity is closed down, another seems to appear.
The world’s fastest growing crime, not just for consumers
Electronic payment fraud is the world’s fastest-growing crime and while a significant number of individuals will have either been a victim themselves, or know someone who has, few people appreciate the extent to which fraudsters are now targeting businesses and public bodies.
We have seen a deluge of these types of frauds, leaving both individuals and businesses significantly out of pocket. One example involved a business that found that one of its corporate customers had been targeted by fraudsters. The fraudster took control of one of the customer’s web-hosted business email accounts and contacted our client to arrange for a substantial cash refund to be transferred to the company’s ”new account”, which was controlled by the fraudster.
This was a sophisticated fraud, where an employee was compellingly impersonated and a long-running chain of email correspondence was utilised by the fraudster to make the transaction seem plausible.
It was the customer’s email that had been hacked because they had unwittingly downloaded malicious software, but my client had paid out the funds to the fraudster’s account and as such remained liable to its customer for the refund and was unable to recover a penny from the fraudster.
All organisations should ensure that robust protocols exist in their finance team, otherwise they could find themselves out of pocket for doing nothing more than following somebody else’s instructions. Always require secondary confirmation by phone for an instruction like this and make sure you call them to confirm, on a number you know to be legitimate.
Financial institutions are (as you would expect) set up to combat this kind of fraud. Fraudsters are therefore incentivised to target organisations that do not expect to be the victim of this form of fraud and don’t have the same protections in place as a result.
Protection is better than cure
In-house lawyers should make it their business to ensure those on the front line of their organisation have the tools they need to prevent these problems before they happen. Inductions and ongoing training should take account of the kind of tactics an employee may face in their day-to-day role. Temporary staff and the very most junior employees should be at the forefront of these plans; reliance on ”cascading” from managers is likely to leave the staff members most likely to be targeted least equipped to resist them. Summer is often a favoured time to strike as fraudsters take advantage of experienced staff being on holiday. If your organisation has survived unscathed this summer, it may be a good time to assess if it has the correct procedures in place for next year.
Sharing information with other organisations is possibly the most potent weapon in the public sector’s armoury. Unlike in the private sector, it should be in every public body’s interest to help other bodies protect themselves from fraud. Using official channels where they are available, and informal ones where they are not, is likely to be key in the fight against fraud.
Andrew Little is a member of Hill Dickinson LLP’s Commercial Litigation team. He regularly acts for a number of large public bodies.