I have mixed feelings about Ove Arup. One the one hand, they are an engineering company with a strong track record, great achievements, and one of my best friends worked for them for many years. On the other hand, they wrote me a nasty letter threatening legal action after I mentioned their role in the London ‘Garden Bridge’ scandal which involved some VERY dodgy procurement by Transport for London (still have the lawyer’s letter in my files somewhere…)
That scandal was driven by Boris Johnson and Joanna Lumley, two individuals who suffer from poor judgment. At least Lumley is not driven by arrogance, but her public persona gives her more power then she deserves – her ‘support’ for the Gurkhas for instance did not increase global happiness, I’d argue. Anyway, that’s for another day and another website.
Going back to Ove Arup, I tried to resist feelings of schadenfreude when I read that the firm has been conned out of more than £25 million last year. Their recently published annual report confirms that the firm (as The Times reported) “revealed in May that it had been the victim of fraud in Hong Kong, with criminals using “fake voice, signatures and images” to convince a member of staff to deposit money into several accounts’. Project delivery was unaffected, however.
This is being positioned as a ‘cyber-attack’ I guess because that is very contemporary and it sounds like the firm is relatively blameless but really this is a classic invoice misdirection fraud, just enhanced by the use of deepfake technology. A cyber attack uses technology to gain access to a company’s internal systems and data. It does not sound like this is the case here. This is presumably the classic fraud play which consists of a message to a mid-level finance executive saying, ‘hi, this is your CFO, please send £25 million to this bank account because we’re working on a top secret acquisition project’.
I am not claiming that this is the case here (I don’t want another lawyer’s letter, please) but sometimes this sort of fraud is enabled by someone on the inside, who can claim they were misled but in truth is part of the fraud-committing gang. What it always means is that the firm has been sloppy in terms of its process, systems and training.
So all suppliers and bank accounts (or any other organisations to whom money is going to be paid) should be authenticated and validated before any money is paid to them. Any alleged changes in bank details from an existing supplier must be verified by a phone call to a known individual on an established phone number. (Also, if you’re doing a private transaction through a lawyer e.g. buying a house, and you get an email saying ‘we’ve changed our bank account’ the day before you are due to make the payment, PHONE THEIR OFFICE).
Significant payments should have multiple authorisations. In his case it may have been several payments rather than one £25M hit, but even so, this is serious money, so you must have multiple involvement and sign-off to guard against the lone internal fraudulent collaborator. All staff in roles where they have access to the firm’s money in any way must been trained in the right approaches. processes and policies.
At least this isn’t quite as bad a case as the Essilor Luxottica (huge ophthalmic lens firm) Thailand invoice fraud, where the firm lost up to 190M euros, basically their entire annual turnover in that country. That really was one of the most breathtaking examples of process incompetence I have ever seen in a major company.
So if you work in procurement or finance, do make sure your processes for paying suppliers (or other organisations, or even unknown bank accounts that are supposedly linked to your own organisation) is watertight. In particular, any one-offs, emergency payments and similar must go through a really strong checking and verification process. Just because someone who looks and sounds like your CFO sends you a WhatsApp message telling you that it is vital you help the firm NOW by authorising a payment, you should not rush off and send them loads of cash.