IBAN fraud What can merchants do to prevent fraud?


Post Image

IBAN fraud, also known as bank fraud or fake transaction fraud, is where fraudsters try to fool victims into thinking they are making a legitimate transaction to a bank account, but in reality they are transferring money to malicious third parties.  

Today, fraud represents losses of €42 billion a year in France, across all sectors. 

In addition, it increased by 100% in 2022! 

IBAN fraud is a particularly sensitive issue for merchants. They need to make sure that the bank details entered by their customers on their website have been checked to ensure that direct debits are carried out correctly. 

Despite all their vigilance, scams and identity theft are becoming increasingly common in France and internationally.

What can merchants do to avoid this type of fraud? 

That’s what we explain in this article, so that you can protect yourself against this type of scam.

How does IBAN fraud affect merchant sites?

An IBAN (International Bank Account Number) identifies a specific bank account. 

It consists of a maximum of 34 characters, or 27 within France, starting with the country code “FR” and ending in two check digits.

It goes without saying that these bank details can be used to carry out financial transactions, such as credit transfers, i.e. to send and receive money. 

However, before a direct debit can be made from an account, a mandate must be signed by the account holder. 

SEPA Direct Debits offer companies a quick and effective solution to manage their payments automatically. 

To avoid the IBAN being used illegally, a signed SEPA mandate is mandatory, and some solutions like ours offer your customers an electronic signature to make setting up a direct debit even simpler.

But at what point in the payment process are you likely to come across IBAN fraud? 

Here are some concrete cases of IBAN fraud: 

  • Identity theft: this is when a fraudster obtains and uses personal data
    – including bank details – from a victim to carry out a fraudulent online transfer.

    → A common example of identity theft in the payments sector is account theft.
  • Fake bank details: a new financial scam has been on the rise in recent years: fake bank details entered by hacking mailboxes.

    → The scammers intercept emails sent or received before they are opened by the recipient. They change the details on the attached bank details and the sender’s address on the intercepted email, then forward the modified message to the recipient.

    → When the victim makes the credit transfer using the modified bank details, the funds are transferred to the fraudster’s bank account instead of that of the company or individual to be paid.

In August 2022, the gendarmes in Annœullin (France) warned of a scam that was increasingly causing havoc! It was none other than the fake bank details scam, or IBAN fraud.

  • In-house fraud: within your own teams, you may unfortunately find yourself faced with fraudulent transactions when changing account numbers to change mandates, for example.

    → Instead of entering the new bank account details received, the fraudsters enter their own IBAN and misappropriate the funds.
  • Dummy IBAN creation: malicious individuals can take advantage of fraudulently created dummy bank account numbers to carry out illegal or deceptive activities.

How to prevent IBAN fraud

At SlimPay, we recognise that finding the right balance between fraud detection and optimising the user experience is a real challenge for merchants.

However, we would like to reassure them that there are several types of check that can be carried out on an IBAN:

  • Structural check of the IBAN: this check can be carried out online when the subscriber is asked to enter their bank details on the SlimPay Checkout page.

    → Data entry errors are detected immediately and subscribers can correct their IBAN number directly online.
  • Check that the bank and branch codes are valid: as a Payment Service Provider, we check the validity of the BIC (Bank Identifier Code) and the branch code in the IBANs entered by using the IBAN Plus bank directory from SWIFT.

    → This anti-fraud process is designed to prevent fraudsters from using dummy IBANs created on dedicated platforms.
  • Check that the IBAN is “reachable”: professionals sometimes forget this, but not all European banks accept SEPA payments.

    → SlimPay also ensures that the account number entered is “SEPA reachable”. This means that the new subscriber’s bank will accept SEPA Direct Debits.

    → This check limits the frequency of RC01 type rejections (BIC incorrect).

With this triple check, we can considerably reduce the risk of payment failure due to malicious transactions.

These checks are carried out on all IBANs used for payment and throughout the customer journey, i.e. each time a user enters their IBAN data on the SlimPay Checkout page, or a mandate is modified or uploaded by the merchant onto our platform. 

Lastly, our SlimCollect Verify module enables you to collect a verified IBAN directly from your customer’s bank. 

In practice, we can check that the account number matches the identity of the account holder. 

In the event of a mismatch, we forward the information to you for verification.

Note that the French government offers the FiligraneFacile platform, a service in beta mode that allows you to add a watermark to a document before sending it. 

This solution could be used by customers of e-commerce sites when sending their bank details. 

This is probably a palliative rather than a curative solution, but it does mitigate the risk of fraud initially, although it will require in-house resources if it is to be implemented on an industrial scale.

Read also :

How can you set up a monthly direct debit for your customers’ payments ?

How to create a payment schedule ?

Bank reconciliation: How can you collect and reconcile your recurring payments ?

SEPA Direct Debit mandate vs. direct debit by payment card: which is the best solution for your transactions ?

B2B mandate and the B2B SEPA Direct Debit: benefits, use cases and implementation