Bank impersonation fraud is when a fraudster impersonates someone from the bank in order to trick a victim into making payments to a fraudulent account.

What a fraudster might do:

• A fraudster usually calls their victim, though may use email or another contact method. It’s likely they already know information about the victim, including their name and who they bank with.
• While impersonating the bank staff member, the fraudster might tell the victim their account is under threat and they need to make payments to a “safe account” or set up payments in order to “block the funds”.
• The fraudster might ask for details from the Digipass so they can access the account and make payments to the fraudulent account themselves.
• The fraudster might ask the victim to download screen sharing software so they can view or control the victim’s computer. This can make it easier to take control of the account.
• In any scenario, the fraudster will foster a feeling of panic in order to get the victim to comply with their requests as quickly as possible.
• Fraudsters might also impersonate other well-known, trusted companies such as Microsoft, Apple, BT or HMRC.

What Triodos Bank will never do

• We’ll never call you to tell you to log into internet banking or to make a payment to a “safe account”. If we believe your account to be under threat, we can block the account ourselves and do not need you to do anything from your end.
• We’ll never ask you for your full Digipass number or your Digipass PIN.
• We’ll never ask you to download any software onto your PC or mobile phone.

What you can do to protect yourself

• Never give out your personal details to someone who has called you unexpectedly.
• Never download any software onto your PC or mobile phone when asked by someone over the phone or by email – even if you think you are speaking to a trusted organisation.
• Never give anyone your Digipass number or your Digipass PIN. Triodos will never ask for this information.
• Do not let someone else use your Digipass – even a colleague or family member. Your Digipass is assigned to you as an individual and must only be used by yourself. If you leave your place of work, please let us know and we can arrange for your Digipass to be cancelled.
• If you are unsure about someone who has called you claiming to be from the bank or another company, hang up and call back on the company’s published telephone number.

This is when fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.

Steps you can take to protect against invoice fraud:

• Check invoices carefully
  All staff who process supplier invoices and have the authority to change bank details should check supplier names, addresses, invoice amount and bank details to ensure they’re correct.
• Verify payment changes
  If a supplier asks to update their payment details, always verify it with them by calling the number on their website.
• Follow up invoice payments
  When you pay a supplier invoice, let the supplier know the payment has been made, confirming the amount and bank details paid into.
• Check bank statements carefully
  Report all suspicious debits to your bank immediately.
• Call suppliers back
  If you are suspicious about a phone request, say you’ll call the supplier back. Use the number published on their website or saved to your phone so you know it’s the genuine number you’re calling.
• Review public information about your suppliers
  Fraudsters often thoroughly research suppliers of organisations so that they can convincingly impersonate them. It may be a good idea to remove any information about your suppliers from your website and other public materials.

It can be very difficult to spot a fraudulent call. The best thing you can do if you get an unexpected call – especially if the person is asking you to make a payment or move funds, or rushing you to make a decision – is to call the organisation back on the number published on their website.

Fraudsters may call you or someone in your team and pretend to be a well-known business like BT, the bank, HMRC, the police, a supplier or even another person in your business.

Examples of what a fraudster might ask you to do:

• Move your money to a safe, secure holding account
  Fraudsters often call businesses pretending to be from their bank. They may ask you to move your money to a safe account because of suspected fraud or risk to your account. In reality, this ‘safe’ account is controlled by the fraudster. Hang up and report it to Action Fraud UK and your bank.
  
• Change the payment details of one of your suppliers
  Fraudsters often impersonate suppliers and ask businesses to pay into a new account – controlled by the fraudster. Check the caller is genuinely your supplier by calling back on the number on their website or, better still, by calling your direct contact at the company.
• Download something – software, a programme, app or other online tool
  Fraudsters may tell you there’s something wrong with your computer and it’s not secure. By downloading some software, they’ll be able to fix it for you. They might even offer you compensation or a refund for this inconvenience. In reality, the downloaded software could give them access to your computer. They may ask you to log in to your internet banking so they can issue your refund, when really they’re asking you to authorise payments into their own account. Triodos will never call you out of the blue and ask you to transfer money into another account, or download something onto your device.
• Tell them your Digipass codes
  Your Digipass codes give permission for money to leave your account. Never give these codes, no matter what they tell you. We will never ask you for these codes.
  

CEO Fraud is when cyber criminals hack into company email accounts, or set up a fake personal email account, to impersonate the CEO, Managing Director or senior staff and ask an employee to make payments to an account managed by the fraudster. They’ll typically target a company's finance department, but may also target other employees who have authority to make payments.

Usually the request sounds urgent, to panic the employee into acting without thinking and going through the usual checks and balances. The kinds of payments they’ll ask you to make are invoices for a supplier, utility or service, or products the company needs.

Fraudsters try getting money from organisations by sending fake emails and texts to gain access to their internet banking details. It can be difficult to spot a fraudulent email, but there are things you can check for clues it’s a fraudulent email.

• Check the sender email address
  Always check the sender’s email address to make sure it’s from the person you think. Fraudsters can change the ‘From’ name so it can look like it’s come from your bank, or a person’s name. If you hover over the name, the sender’s email address should be displayed. If it’s a company email address, an online search of the email address will often tell you if it’s a genuine address.
• Call the sender
  If you get an unusual request from someone you know, asking you to transfer money or download something onto your computer, and the email address looks genuine, there’s a possibility their email account was hacked. To be safe, it’s best to call them to make sure they sent the email and really made the request.
• Look for spelling mistakes
  Scam emails can often look odd, with a messy layout and spelling mistakes.

Common email and text scams to look out for:

• CEO fraud
  Fraudsters email employees pretending to be the owner or CEO of the organisation, asking them to make a payment or transfer.
• Supplier fraud
  Fraudsters pretend to be your supplier letting you know their payment details have changed.
• Invoice fraud
  Fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.
• Pretending to be a business
  In these messages, texts or emails, you might be asked to click a link that takes you to a fake website – for example, the website might claim to be the Triodos Bank website (See ‘How to check that a website is genuine’). On this site you could be asked to give your internet banking details. We will never send you a link to the login pages of internet banking.
• Spyware in links
  Some scam emails ask you to download something onto your computer or network – this could be a link to a website or an attachment. This tool could spy on your computer or lock you out until you pay a ransom or reveal your bank security details.
• Smishing (fraudulent text messages)
  These are text messages that appear to be from well-known businesses, claiming you need to click the link to update your details. Often the links are disguised with short links – like bitly links, e.g. https://bit.ly/2kwosxu. Tempting as it is to use the link, contact the company using the details on their website to verify that they sent the text, and that it’s safe to click on the link. Fraudsters will impersonate these companies to obtain your valuable information.
  

Criminals are experts at impersonating people, organisations, and the police. They spend hours researching you for their scams, hoping you’ll let your guard down for just a moment. Stop and think. It could protect you and your business’ money. Before making a payment, follow the advice fromTake Five to Stop Fraud:

• Take a moment to stop and think before parting with your money or personal information. It could keep you safe.
• Ask yourself, could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
• Do your research and be suspicious of any too-good-to-be-true offers or prices.
• Remember, your bank or the police will never ask you to transfer money to a safe account.

When you are making a payment:

• Always follow any advice or warnings from your bank or payment service provider.
• Your bank might ask you extra questions about a payment. This is to help keep you safe. Always answer these questions truthfully. If someone is asking you to lie or telling you what to say to your bank, then it’s very likely to be a scam.
• It might take slightly longer for a payment to leave your account. This is so we time to do extra checks to keep you safe from fraud.
  

No-one wants to imagine that one of their employees would commit fraud, but sometimes this happens. There are a few things you can do to protect your organisation:

• Never share your Digipass or PIN
  Digipasses are unique to each account operator, so if you allow someone else to use your Digipass it will be recorded as a payment authorised by you. If you have new staff or need to change an account operator, download the Business Banking change of account operator form and post it to Freepost TRIODOS BANK. We can set up each new staff member with their own Digipass and internet banking access. If you remove an account operator, please send the Digipass back to us.
  
• Employee checks
  Review your recruitment procedures and ensure you’ve got appropriate checks and references in place for candidates hoping to join your organisation, such as criminal record checks and references from previous employers. See the ACAS website for advice.
  
• Be aware of who has access to sensitive information
  Regularly check who can access important data and systems, such as customer or membership data, or financial information. When employees leave your organisation their access should be stopped. Access should only be given to employees who really need access to these systems or data.
• Create a whistleblowing policy
  This can support your employees to anonymously report suspicious activity they see in the organisation. Promote the policy so all staff feel confident and safe in reporting suspicious activity. For more advice on whistleblowing, see the gov.uk website.
  

Business (or corporate) identity theft is a type of fraud that involves a criminal stealing a company’s identity and using it to buy goods and services by establishing lines of credit with banks or retailers.

Organisations are often targeted because:

• They have bigger account balances
• They have higher credit limits
• Making large payments regularly isn’t suspicious
• Information is often freely available on their website or on the internet

How to protect yourself:

1. Protect company information
   Don’t share anything about your business online or publicly that could put your organisation at risk. Write a policy for your staff that includes guidance around social media use. Educate your employees about business identity theft so that they know what to look out for, how to help avoid identity theft, how to spot it and how to report it to minimise the impact.
2. Regularly review accounts
   Regularly review all account statements, credit reports, and business registration information.
3. Install security or anti-fraud software
   Invest in software that can assess risks and help identify fraud or suspicious activity.

We’ve created this online resource to help you protect your business from fraud.

Share it with your team and regularly review it to help you protect what’s important to you.

We recommend that you:

• Review who can authorise payments and how much
  Review your internet banking payment limits and authorisation in your internet banking or by calling us. Confirm how many people have a Digipass and access to your internet banking. A Digipass should never be shared - please request a Digipass for every individual who requires access to internet banking. What levels of authorisation do payments need? Decide if you want two people to authorise a payment over a certain amount to ensure each payment is double checked. We can set this up to suit your needs.
• Create a training schedule
  Regularly educate your employees about fraud risks to help them spot and handle fraud. You can share resources like our how-to guides, and signpost them to websites like Action Fraud UK. In-house training could include regular emails about fraud, test emails to practise how to spot a fraudulent email and how to respond, and yearly refresher workshops. The training is not about scaring your employees, but helping them feel in control when they suspect fraud, and confident in how to respond.
• Introduce a payment process
  Create a process document that outlines all the steps that should be taken to authorise a payment, including checking the authenticity of the payment request and payment details.
  
• Introduce a fraud policy
  Make a policy that clearly outlines how employees can use their work devices, and ensure they understand it and follow it carefully. Your employees should never download apps, software or programmes onto their work devices or click on links in suspicious emails or messages. They should also be sensitive about what they share on social media and what they email to their personal email addresses from their work account.
  
• Install anti-fraud software
  There’s plenty of software you can use to help you assess risks and detect fraud, including alerts for risky activity on a corporate device. Having up-to-date anti-fraud software reduces the risk of cyber attack, malware, ransomware, data breaches and ultimately losing the business money.

You can also find in-house training at:

• Gov.uk
  
• National Business Crime Centre
  
• The National Cyber Security Alliance (NCSA)