Mortgage Approvals – June 2015

Banking & Payments Federation Ireland (BPFI) has published the latest figures from the BPFI Mortgage Approvals Report for the three months ending June 2015.

The following are the key elements:

  • A total of 2,525 mortgages were approved per month, on average, in the three months ending June 2015, of which 2,260 (90%) were for house purchase.
  • The number of mortgages approved rose by 11.3% year-on-year and by 2.6% month-on-month.
  • The value of mortgages approved per month, on average, in the three months ending June 2015 was €465 million, of which €432 million (93%) was for house purchase.
  • The value of mortgage approvals increased by 14.5% year-on-year and by 2.9% month-on-month.

Data collection for the BPFI Mortgage Approvals Report began in September 2012 covering the period from January 2011 onwards in respect of the market’s main mortgage lenders. The BPFI Mortgage Approvals Report June 2015 is available on the BPFI website here.

All figures are based on the three-month moving average. Year-on-year compares the average for the three months ending June 2015 with the three months ending June 2014. Month-on-month compares the average for the three months ending June 2015 with the three months ending May 2015.

Ends/

Note: Banking & Payments Federation Ireland is the voice of banking and payments in Ireland, representing over 70 member institutions and associates, including licensed domestic and foreign banks and institutions operating in the financial marketplace here.

Contact: Sinead McGovern, tel. 087 6411725

Invoice Re-direction Fraud

Purpose of Advisory

To advise that a number of businesses in Ireland have recently fallen victim to a scam involving bogus emails being received that purport to be from an existing creditor. The email generally contains a letter as an attachment, the letter purports to notify the receiver of new (amended) bank account details to which all future payments are to be sent.

A PDF version of BPFI’s Invoice Redirection Fraud Alert can be downloaded here.

Key Details

  1. Irish businesses are increasingly experiencing attempted invoice re-direction fraud.
  2. This involves a creditor’s beneficiary details being fraudulently altered.
  3. The business is misled into believing that a beneficiary’s bank account details have been changed and so funds that are due to be paid out are transferred to a fraudulent account.
  4. Attempts such as this could be successful if the change of details request is not confirmed directly with the source supplier- use a phone number from your files, not from the letterhead of the suspect letter.

There are various other measures a business can take to safeguard itself against such fraud. For further details please see below.

Background

There is a growing trend in payment fraud involving beneficiary details being fraudulently altered. This bogus invoice fraud usually involves genuine invoice details being intercepted by unknown means, the beneficiary account details are altered so that payment is redirected to an account under the fraudster’s control. The fraud will usually be discovered some time afterwards when the legitimate company sending the invoice queries ‘non-payment’.

What Are the Tell Tale Signs?

Invoice Re-direction Fraud

The email notifying the change of details may be in the name of someone that the receiver is used to dealing with, however the fraudsters will have created a bogus email account and the sender’s name which will carry a minor variation, see following examples:

james.ryanabcd@hotmail.com (genuine)           jamesryanabcd@hotmail.com (bogus)
liz.smythabcd@stantons.com (genuine)           liz.smythabcd@stantonz.com (bogus)

Fraudsters may then submit bogus invoices. These invoices, and any covering letters, may appear to be printed on company headed paper but are more likely scanned copies from an original document and printed onto paper using a domestic printer so the company logo may appear less sharp and slightly blurred.

Action

Although not exhaustive, some examples of action you can take to protect yourself are:

  • Make a phone call to a known contact within the firm that appears to be requesting fundamental changes in banking details
  • Always confirm change of bank account requests with the company making the change, being mindful not to use the contact details on the letter requesting the change.
  • Look out for different contact numbers and email addresses for the company as these may differ from those recorded on previous correspondence.
  • Consider reviewing change of account details already acted upon where payment is due at a future date and confirming the authenticity of the request.
  • Consider setting up designated single points of contact with companies to whom you make regular payments.
  • Instruct staff with responsibility for paying invoices to be cognisant of checking invoices for irregularities and checking out their concerns with the company requiring payment.
  • Consider setting up a system whereby when an invoice is paid you also send an email to the recipient informing them that payment has been made and to which bank account. Be mindful of account security and consider including the beneficiary bank name and the last four digits of the account to ensure security.
  • Fraudsters may have found information regarding contracts and suppliers on the victim organisation’s own websites. Consideration should be given as to whether it is necessary to publish information of this type in the public domain as it has been demonstrated that it can be used to facilitate fraud.
  • For payments over a certain threshold, consider organising a meeting with the company who are requesting payment, and satisfy yourself that payment will be sent to the correct bank account and recipient.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this

Bogus Lodgements

Purpose of Advisory

To advise that a number of banking customers in Ireland have fallen prey to frauds that involve bogus lodgements being credited to Bank accounts, disguised as electronic payments from overseas.

A pdf version of BPFI’s Bogus Lodgements fraud alert is available for download here.

Key Points

Common characteristics identified to date are:

  • A company (the victim) advertises a product for sale (usually on the internet).
  • The criminal agrees to buy goods from the company. The sum involved is usually relatively small (ranging between €2k – €4k).
  • The victim provides details of their bank account to the criminal and asks for the payment to be sent electronically.
  • The criminal sends a counterfeit cheque / draft, usually for the sum of €50k – €130k to the account holding bank with a request that the item be lodged and the accompanying reference number be quoted on the lodgement.
  • The narrative may convey the impression to the victim company that the funds are cleared.
  • The criminal then contacts the victim company advising that they overpaid the invoice and requests that the surplus funds be redirected back to an overseas account.
  • The counterfeit cheque or draft is received back unpaid some days after the above scam has been carried out.
  • The risks associated with brand new contracts entered into with strangers over the internet need to be recognised, particularly where you are asked to send monies to these parties.

Action

  • Should you or your staff receive notice of such an unusual lodgement being made into your bank account, exercise considerable caution.
  • Do not return any funds to the remitter unless / until you are fully satisfied that the underlying transaction is genuine. Overseas cheques can take 4 weeks or more to clear.
  • Have clear procedures in place so that unusual scenarios are handled with appropriate caution and that all instances of suspect incidents are reported to management and to the Gardaí / Police.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on behalf of BPFI members.

Disclaimer Note: The information contained in this Fraud Alert /Advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this.

Social Engineering

Purpose of Advisory

To advise that a number of banking customers in Ireland have fallen prey to frauds that involve various forms of social engineering – where the information required is garnered from a person rather than breaking into a system.

A pdf version of BPFI’s Social Engineering fraud alert is available for download here.

Key Points

1. Phone Fraud Scam

  • Some businesses and individuals have recently fallen victim to a sophisticated phone scam. The fraudster uses an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
  • An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.
  • During the course of a phone call or series of calls, the perpetrators obtain enough information to take control of the victim’s bank account including full details of the online banking passwords following which fraudulent high value payments are made.

2. Email Account Hacked

  • Personal email accounts of some customers (particularly company directors and individuals of high net worth) are being compromised, in many cases as a result of the individual responding to a phishing email.
  • Having gained unlawful access to the company director’s email account, the hacker will familiarise themselves with the email correspondence therein.
  • The hacker will then issue emails from this account, posing as the company director, providing an excuse as to why all contact with him must be by email (“I’m boarding a plane and will be out of reach”)
  • The hacker may then either:
    • Contact the bank purporting to be the company director, and instruct that a payment be made to a fraudulent beneficiary account, or
    • Contact a colleague in the company’s finance department (e.g. financial controller, or some such person) instructing the issuance of a high value payment to a fraudulent beneficiary. In this latter situation, the bank will have been given a legitimate payment instruction by the finance department.

Action

Attempts to ‘socially engineer’ (manipulate) staff into divulging sensitive data, whether this is banking data or some kind of client data, must be recognised by the recipient for what it is – criminal activity.

In order to recognise such situations, all inbound calls/emails that seek any kind of sensitive information (re banking data, transaction data, customer records etc.) or payment instructions should be treated as potentially suspect.

Where a staff member receives payment instructions via email, then enhanced checking procedures should be implemented at all times, e.g. call-backs must be made to ensure that customer emails have not been hacked. No customer information should be permitted to be disclosed via email and payment instructions should only be processed in accordance with existing procedures.

Businesses should adopt robust identification processes and ensure that all calls/emails from strangers who are seeking potentially sensitive information of any kind are handled with appropriate caution and that all instances of suspect calls are reported to management and to the Gardaí/Police.

Always remember: Your bank will never send you an e-mail requesting you bank security details.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.

*Social Engineering in this context means techniques of manipulating people to obtain information ( via email or phone calls) or retrieving information from social networks for the purpose of fraud.

Disclaimer Note: The information contained in this alert notice is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this

Trojans/Malware

Purpose of Advisory

The purpose of this note is to make customers aware of Trojans/Malware activity and to implement safeguards in order to protect themselves.

A PDF version of BPFI’s Trojans/Malware Trojans/Malware Security Advisory is available to download here.

Key Points

For business/corporate banking:

  1. There has been heightened activity from new Trojans / Malware variants attacking primarily business banking customers across Europe.
  2. Malware is delivered via an email attachment or a link to infected web site.
  3. Malware can also be disguised as a pdf, a word file or even a Powerpoint file.
  4. Once the attachment is opened, the machine is infected with keyloggers and remote access Trojans.

Action

Ways customers can protect themselves:

  • Keep your PC’s patching up to date.
  • Run a recognised anti – Virus (AV) and anti – malware programme and ensure it is up to date and actively scanning.
  • We advise to carry out your own virus check before opening any attachment.
  • We recommend switching on heuristic scanning option if available.
  • Change passwords regularly.
  • On online business banking review your beneficiary lists and account numbers regularly.
  • Ensure that transaction limits are set at a value threshold equal to or just above your regular payment amount.

Always remember: Your bank will never send you an e-mail requesting your bank security details.

This is a general notice issued by the Financial Crime and Security Department of the BPFI on Behalf of BPFI members.

Disclaimer Note: The information contained in this advisory is for general guidance and for information purposes only and is intended to enhance awareness and vigilance regarding this