Special Report: Attack of the payroll clones

Fraudsters are cloning umbrella companies and then contacting recruitment companies with new bogus bank details.

When is imitation not the sincerest form of flattery? Answer: when your company is cloned. This is the situation a number of umbrella companies appeared to find themselves in recently when companies with similar names as theirs were registered at Companies House.

Among them was Clarity Umbrella, whose owner and founder, Lucy Smith, told Recruiter that a company was initially registered with the name Clarity Umbrela (with one ‘l’) Ltd. She contacted Companies House and was informed this had since been changed to Clarity PAYE and was told it was sufficiently different from her company name.

“The fact that something similar had happened to several umbrella companies with the same director’s name showed that something was not right,” said Smith, explaining that she then took to social media to voice her opinion and alert her network to what was happening. “I said ‘this is not Clarity’ and we all need to raise awareness so this becomes too hot to handle.”

Phil Pluck, CEO of the Freelance & Contractor Services Association (FCSA), which is currently investigating the situation, explains that having created the clones on Companies House to gain legitimacy in the “eyes of the unwary”, the fraudster’s final act is to contact numerous recruitment agencies – whose PSLs are openly available to view – and then inform them that their preferred umbrella company has changed its banking details, because of any one of the following:

  • a criminal hack has been attempted on its current bank account
  • change in directors/ownership has taken place, hence the need for new accounts
  • the bank has offered a more secure portal account, so the details are new.

“The fraudster then goes on to assure the agency through VAT registration documents, Companies House numbers, and details of current banking arrangements, so that the avenue for a sophisticated theft is now totally open.”

The cloner’s attempts to build legitimacy also included scraping social media and professional networks and job boards to access personal information. It also emerged that some contractors were being contacted by the clones offering them preferential terms such as 85% take-home pay.

Julia Kermode, founder of IWORK, which provides a range of resources to support all types of independent workers, and former CEO of FCSA, believes it is a concerted effort by somebody to undermine the umbrella industry. Clearly, Kermode is extremely well-informed and able to spot the incorrect details of many of the companies in the sector but, as she highlights, if you don’t it is easy to be duped. “They are sometimes changing one or two letters and, for example, have listed one company as LLP. I know that isn’t the case but a recruitment agency may not know that level of detail,” she says.

At the time of writing Pluck said so far he has only known of one attempt that has been successful and which amounted to £60k of umbrella fees being transferred out of a recruitment agency to a false bank account but warns: “This practice is also happening further up the supply chain where recruitment firms are being cloned in order to bring on board innocent job applicants and contractors.

“Vigilance is the key to preventing an actual cloning attack alongside robust IP protection of your brand should you need to take action if cloning has already taken place.”

Further harm must be prevented by ensuring those behind the clones don’t get access to bank details and the onus is on recruitment agencies to undertake due diligence in any dealings with umbrellas, especially in conversations over money transfers.

Check, check and check again

Robust checks need to be in place and Pluck recommends each company in the supply chain should have a single point of contact (SPOC) who carry with them agreed passwords, and if any banking details are to be changed then this platform should be the first stage in any changes.

“Where money transfers take place from end client to agency or agency to umbrella then very strict transfer protocols should be in place and should always be a double or even triple check system. Passwords should be used and be highly restricted, transfers should be confirmed immediately on both sides and never change banking details from any party in the supply chain unless a sperate protocol has been agreed and is acted upon.

“Always query any calls coming in to make banking changes or indeed providing supporting documents. AI is now becoming so sophisticated that there is emerging software that can replicate voices and indeed images in remote meeting platforms hence the need to have multiple protocols if any changes are made.”

Stamping out the cloning activity is a challenge, especially if legal action is prevented because the cloner is operating in an offshore jurisdiction. It is not, of course, a sector-specific problem and happens across all industries but it has come in what has already been a difficult year for umbrellas with a BBC investigation finding that 50,000 mini-umbrellas were operating tax avoidance schemes, which reportedly cost the taxpayer millions.

Kermode describes the timing as interesting in this regard, which is why she remains convinced it is a deliberate attack to further tarnish the industry. That the sector has been targeted is also no surprise given the large amounts of money that are transferred across companies in the supply chain.

The umbrella market is not regulated so anyone can spring up and be an umbrella company”

As James Poyser (pictured above), founder of offpayroll.org.uk, which seeks to promote transparency in the sector, points out, the “eye watering amounts of money that flows through means a cloner wouldn’t have to have a great success rate to make a lot of money. “So it’s always going to attract people looking to exploit this,” he says and adds compounding the problem is that it is all too easy to set up an umbrella company in the first place.

“The umbrella market is not regulated so anyone can spring up and be an umbrella company, which means there is very little legal protection against preventing this happening in the first place.”

Offpayroll.org.uk recently launched a new rating system for umbrellas called FairScore to highlight ethical, well-run companies and those that are rogue and campaigns for regulation in the sector (see Road to Regulation, p40).

If we keep it all quiet, these people will be allowed to work under the cover of darkness”

Be commercial and compliant

Janet De-Havilland (above), founder and CEO of Pendragon Consultancy, which are experts in compliance and deliver a range of services in the temporary and contract labour market, is currently working with the authorities and the FCSA following the appearance of two apparent clones: Pendragon Consultancy Ltd Payroll Account Limited and Pendragon Consultancy LLP Ltd. Like Smith, she alerted people on LinkedIn and believes openly discussing it is important.

“If we keep it all quiet, these people will be allowed to work under the cover of darkness and we all need to help to shine a light on it,” she says. “Also, if you’re a client, you would be disappointed if the first time you heard about this issue is when money has gone missing.”

Pendragon carries out compliance audits for clients and she believes compliance lies at the heart of tackling this and other issues the sector faces. She adds that clients are often shocked when they see where the holes are in their processes and systems following an audit. Part of the challenge is that sometimes the person charged with the responsibility for due diligence and compliance isn’t as senior as they should be. Pluck agrees and notes that the fraudsters are often targeting middle grade employees of contractor recruitment agencies, perhaps knowing that senior directors will be on top of what transfer protocols are in place, and “thus smell a rat”.

De-Havilland highlights another issue, too, which is that compliance costs rather than generates money. “When you go into some businesses and ask where compliance is in their hierarchy of importance, you can hear a nervous outburst of laughter,” she says. “Compliance teams are challenged all the time with the ‘we’ve got to get these people out to work, so let’s get on with it’ attitude. But if something goes wrong, things can become much more costly, and you potentially lose the client that you’re trying to help. You’ve failed in your due diligence, and you’ve failed the client.”

The answer, she believes, is moving compliance up the agenda and her desire is to bring it “screaming and kicking” from the back office to ensure it’s on the table of “every senior manager and boardroom director”.

“Yes, you have to be commercial – I’m as commercial as the next person – but I believe you can be good commercially, and you can be good compliantly,” she says.

Robust reporting

Having robust processes in place benefits everyone in the supply chain. De-Havilland also urges contractors to be vocal if something doesn’t seem right and for umbrella and recruitment companies to be supportive of them. “Contractors can sometimes worry that if they raise an issue, they won’t get the job,” she says. “But it is important they report issues that seem unusual or that they have concerns about.”

Kermode agrees that contractors and other independent workers need support and guidance as they will be less able to spot if there is a problem. “They might be looking at umbrellas for the first time and simply won’t know if the product they are being offered is dubious.”

Of course, Recruiter cannot comment on any legal investigations that may be taking place but Charlotte Gerrish, a commercial law and data protection expert and founding lawyer of Gerrish Legal, explains that there are two areas that those affected should explore. If the cloning attack leads to a data breach, this will be covered by GDPR because it applies to companies that process data of UK individuals regardless of where they’re located. “So that could be a route to getting at the cloners,” she says but she also warns that umbrellas need to be vigilant and act quickly if they notice anything untoward so they themselves don’t find themselves liable for a data breach. Gerrish highlights the case of British Airways, which was the target of a cyberattack in 2018 and which remained undetected for more than two months.

The Information Commissioner’s Office (ICO) fined the company £20m for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place and the failure broke data protection law. “So those running payrolls need to be alert to cloning, a cyberattack or any activity that could lead to a data breach,” she says.

While it is difficult to stop someone subtly changing a company name on Companies House, Gerrish explains that trademarking provides more protection and this is something that could be considered going forward for those umbrellas that haven’t already done so. “The test is: is what they are doing to names likely to cause confusion to the relevant public – the relevant public in this case being other umbrella companies, recruitment agencies, end-user clients and contractors?” she says. “Adding something like PAYE or anything that references the services delivered would be considered a trademark infringement.”

This still wouldn’t get around the problem if the cloner operates offshore but may be worth considering as good practice going forward for umbrellas that haven’t trademarked their name.

Your IT support should be as active in providing security analysis as they are providing the platforms to function”

Continuity and resilience plan

The era of digital transformation means that going forward, all organisations in the recruitment supply chain must be alert to known and unknown threats ranging from online scams, cloning attempts right up to sophisticated cyberattacks. In September, Giant suffered a cyberattack, which is still under investigation. It was understood to be a ransomware attack, which is where cybercriminals can potentially freeze operations and demand a ransom payment.

Pluck recommends that organisations imagine the “worst-case scenario” and build a disaster plan around it. “This costs money but there are very clever and legitimate firms who will take you through something called penetration testing. They will, in a safe environment, attack your company with the latest technology and reveal to you where your defences are weak.

“Your IT support should be as active in providing security analysis as they are providing the operating platforms to function.”

And he has a stark message for those who have reservations about investing money in this area: “Imagine the cost to your company if you are actually cloned and or hacked. If your defences are not robust enough and your transfer protocols aren’t tight then a business you spent 10 years developing can be brought down in 24 hours.”

Image credit | Shutterstock

The last word November/December 2021: Alan Furley

Times they are a changin’, so the Bob Dylan song goes and, while this can certainly be true in re

30 November 2021

My Brilliant Recruitment Career: Sophie McIntosh

What was your earliest dream job?

Public sector, Education 30 November 2021

Special Report: The road to regulation

Campaigners for regulation in the umbrella market had hoped that this year’s autumn spending revi

30 November 2021

Special Report: How to spot a clone

It says these are the key clues to look out for:  

30 November 2021