Anti Fraud Procedures

(How to treat your new clients like potential criminals, without offending them)

Different scenarios require different strategies but if you’re talking to someone you don’t know, following these procedures will vastly reduce your risk.

New Contacts at Known Companies

“Hi – it’s Sam from the BBC here,  we’re looking for blah blah blah to be delivered direct to a shoot this afternoon….’

  • For phone requests, don’t complete the booking in the first call. Under any pretext whatsoever, take contact details, then find the publicly advertised number for the company, call the switchboard and ask for the person you’ve just been speaking to.
  • With email requests, just check the full email address. Is it from an appropriate corporate email account that matches the company web domain? If not, follow step 1.
  • If you cannot be connected to the person you have spoken to, or to someone at the publicly advertised number, who can verify that the person who called is real, out on location and authorised to book kit, don’t take the booking.

 

Unknown Clients

 

Get their details then check as many of the following as are possible or relevant.

 

PHONE NUMBER:

  • If they give you a mobile, ask for a landline also.
  • Look at the landline number – is it a real, geographically identifiable (ie 0207 or 0161) area code or is it a virtual or non geographic number – (eg 0845 or 0203). Fraudsters often lease virtual lines to give them the appearance of a real office. Be aware though – those virtual lines can  have geographic area codes too.
  • When you phone the landline, does a human being answer – or is it a virtual service which forwards you to mobiles?
  • Look the company up on www.yell.com – is this number the advertised one for the company?
  • If not, call the advertised number for the company and check the person in question really works there.

 

COMPANIES HOUSE DATA:

  • Is it a real limited company?
  • Are they registered where they say are.
  • When were they registered and how long have they been trading?
  • Are their accounts filed – with actual financial accounts as opposed to just a company return or is it a shell company that isn’t actually trading?
  • Are their accounts up to date or is the company dormant?
  • Can they provide ID for the registered address or the address of a company director?
  • IMPORTANT: A listing as a director at Companies House should not be used to verify the legitimacy of a potential hirer. It is possible for somebody’s name to be used to register a company, or be registered as a director of an existing company without their knowledge. We recommend that you contact the potential hirer via ALL his or her other companies to determine if he is aware of a potentially fraudulent registration.With existing companies, be suspicious of new registered directors.  Contact the company to verify that he or she is legitimate.

 

TRADE REFERENCES:

  • Do you know the trade reference personally? If not….
  • Is the trade reference a real limited company?
  • Is the trade reference registered where they say are registered.
  • When was the trade reference registered – how long have they been trading?
  • Are their accounts filed – with actual financial accounts as opposed to just a company return or is it a shell company that isn’t actually trading?
  • Don’t take mobile numbers or personal emails for trade references.
  • Phone the publicly advertised number for the company and then ask for accounts or the business manager to ensure that the person providing the reference is actually qualified to do so.

EMAIL:

  • Is it written by a grown up who knows what they’re talking about and can spell basic words correctly?
  • Does the email address match the web domain for the company? Be dubious of free email accounts like hotmail, gmail, gmx, hushmail.
  • If in doubt, google the email address and look for industry activity from that person.
  • IP addresses – have a look at the long headers for the email and seek out the originating IP, then go to www.robtex.com and enter that IP into the search box. Look at the robtex whois page for it.
  • Is it a legit mailserver for the company, or a geographically appropriate business assigned IP?
  • Or is it a wifi hotspot or mobile broadband? Fraudsters often email from 3G or 4G or BT Openzone or cloud wifi, which makes tracing the origin difficult unless you get GCHQ on your side. But if you do see that the email came from a BT hotspot then ask yourself if Sam from the BBC would  be emailing from a cafe.

 

WEBSITE:

  •  IF YOU’RE IN ANY DOUBT ABOUT THE CLIENT, USE A BROWSER WITH SOME SAFETY FEATURES ENABLED TO VIEW THEIR WEBSITE. These will disable scripts which might be used by fraudsters to try and get sensitive data. Remember these fraudsters are involved with ID thefts, so this is a real risk.
  • See rule one and actually heed it. I’m really not kidding.
  • Look at the content. Is it the real website of an operating company? Does the content belong to them – if there’s video, follow it to vimeo or youtube and check it’s actually posted by them.
  • Do the social media links follow to real accounts with plenty of history and activity that is industry relevant?
  • Look them up on Linkedin and look for contact info or web info.

 

WEBSITE WHOIS DATA:

 

  • When was the domain purchased and by whom?
  • What’s the renewal interval – fraudsters only buy one year, real companies usually buy five.
  • What’s the address it’s registered to, get on google map and street view and have a nosey. Also go on right move or zoopla and see if that place is currently or recently been available to let.  It’s not at all uncommon for rental flats to get used as a way to get mail delivered somewhere. New tenants probably won’t think twice if somebody turns up looking for their mail and while a flat or house is lying empty any number of people – tradesmen, letting  agents etc might have access to keys.
  • Is it the website registered to the company address or a registered company director’s address or a web management company?
  • If not and the domain is registered to an unrelated personal address then ask the client who this person is and what relation the address is to them. Ask for ID relating to that address. Fraudsters often buy the websites with stolen or made up details and won’t be able to provide comprehensive ID for that person or address.

INSURANCE AND ID:

  • Is it a real policy? Call the insurer and check.
  • Are emailed scans of ID or insurance actually scans? On a mac right click and go to ‘get info’ and on a pc right click and select properties then go to the second tab. What software was used to make the file, when was the file created, is it a real scan or has it been made with photoshop or illustrator?
  • Does it match other addresses you’ve been given?
  • Is the ID you’re being given for the person that’s paying and booking? If not, why not?
  • Make them pay on a card that is registered to an address they can prove they inhabit.

 

If in doubt, just ask yourself how any of it will sound when you’re sitting with the loss adjuster.

 

Comments are closed.