Do we need better thought control? 

Schools, charities, universities, banks, individuals, law firms and many companies, big and small. Grant Thornton’s Data Breach Response team have worked with every one of these types of organisations in recent months helping to investigate and prevent the increasingly prevalent “Payment Diversion Fraud”.

City of London Police calls this crime “this is the most harmful problem that businesses report to us.”

These cyber frauds are not terribly sophisticated but they are resulting in millions of pounds being lost by businesses, billions annually. Prompt and effective investigations can rapidly contain and mitigate against ongoing incidents, but often the money has already left the building and been laundered across bank accounts around the world.

For those that didn’t attend class, payment diversion frauds typically start with a combination of social engineering or cyber intrusion, and then a lateral movement within the business and data environment to find a way to change banking details from legitimate to illegitimate. Payments are willingly made to the cyber criminals, and it may be weeks or months before the fraud is identified. Typically the funds are long gone, layered into other funds or jurisdictions that make it difficult (although not impossible!) to recover.

These frauds often start with a “spear-fished” (targeted via social engineering) request to change bank details for an invoice or account. But more sophisticated criminals can find means to “interject” themselves into your systems, as simply as sending you an email from a doctored address ( instead of, stealing a password or sophisticated malware.

In our work we have identified several steps that can greatly reduce your risks:

  • Be alert to the risks! The fraud is increasingly common but generally leverages human weaknesses to overlook detail. Train and test!
  • Audit and address controls, particularly around making and changing payments. Implement behavioural analytical systems or even simple “Four Eyes” checks to have more than one individual make potentially costly changes to payment/bank details.
  • Be wary of opening attachments, links and any request for your passwords (including Google Drive, Dropbox etc). Check that your IT security catches known and potentially fraudulent anomalies (firewalls, DLP, IDS...)
  • Train your suppliers/parents/customers on your new and improved systems to make them wary of fraudulent emails appearing to come from you – good hygiene can including sending them password protected documents with passwords available through a “Two Factor” system including a parent/supplier portal.
  • Invest in “typo-squatting” prevention: this can include registering domains that are similar to your own, to stop the criminals from doing so (domains are very cheap, fraud is not!), and cyber alerting systems such as our Managed Response Services, that can help alert you to criminal chatter about your business.
  • Money gone is not necessarily lost. Speak to our Asset Tracing Team to see if we can recover your lost assets.


As our teachers warned us at school, be vigilant, be wary of strangers, and don’t judge every book (and email) by its cover!

Image: Paul Sableman