Invoice fraud is a serious and growing problem. Should you be worried about invoice fraud?
Well, small to medium-sized businesses that don’t have robust fraud prevention systems in place are the primary target. The risks to their accounting departments are far greater than those experienced by larger organisations.
Invoice fraud is now one of the most commonly used forms of digital fraud directed against businesses. As Hilton Baird Collections states in this article:
“According to the Tungsten Network research, more than half of businesses (54%) now see invoice fraud as their single biggest threat.”
The American, UK and Australian governments have given official warnings about the issue. Invoice fraud is what internationally acclaimed author Nassim Nicholas Taleb would call a “black swan” event. A black swan event is an unlikely occurrence that most people don’t expect that has very large consequences.
For example, the 2008 financial meltdown was a black swan event. Taleb makes the point in his book “The Black Swan” that most people don’t think about black swans prior to them happening, making their effects all the more severe.
But surely, while common, it's for small things like office paper or pens, right? Unfortunately, that is not the case. Businesses are paying quite large sums of money to invoice fraudsters, with little or no hope of ever recouping the money.
As a Computer World UK article states:
“Two businesses that complained of invoice fraud were said to have lost sums around the £1 ($1.5 million) million figure each.”
And once the fraudsters have the money, they very quickly wire it out of the country. So, even if the fraudulent activity is identified immediately after the payment is made, it’s often too late. That’s why it is extremely important to prevent invoice fraud in the first place … the consequences of not doing so are severe.
Most cases don't take the form of cyber hacking or anything as exotic. Instead, fraudsters use social engineering – taking advantage of human nature.
As the Computer World UK article states:
“While the fraudsters often exploit weaknesses in technology to attack businesses, the biggest flaws are always human and result from a lack of awareness, training, poor systems, policies and checking.”
With that in mind, our goal with this article is to offer several ways you can prevent invoice fraud from happening in the first place. These prevention tactics rely mostly on best operating practices that can be implemented into your business. It’s crucial these practices are put into place each and every time your company pays an invoice, no matter how sure your accounting team is that the invoice is legitimate. Because after all, it only takes one slipup to lose a lot of money.
You want to have the same mindset as fighter pilots and surgeons: Use your checklist and let it protect you.
Surgeon and author Atul Gawande makes the point in his popular book “The Checklist Manifesto” that checklists are not a sign of stupidity or simplicity. Instead, checklists are the sign of a very intelligent person who realizes the flaws in their own human nature and takes steps accordingly to protect against downside.
If checklists work in the life or death situations of fighter pilots flying and surgery, they can work for you in your small or medium-sized business.
Fraud Tactic #1: They’ll Invoice You From a Fake Email Address
This relatively simple method of invoice fraud relies on two things:
Basically, this method of supplier invoice fraud will involve researching your business. Things to figure out:
Then they’ll create a fake invoice for a thousand pounds or so. The email will claim the invoice is 90 days late and MUST be paid immediately, adding to the stress level of your accounting team (especially if you legitimately have many unpaid invoices to catch up on).
Let’s say you normally order supplies from Paper and Pens Co. Their email domain is firstname.lastname@example.org.
The fraudsters might email you from…
Or some other similar variation of the normal email address.
Since this is a relatively simple type of fraud, it is relatively easy to prevent – IF you follow a checklist each time an invoice is paid. This type of fraud in particular will often involve small amounts of money that may not require as much scrutiny as other, bigger invoice payments.
That’s why it’s very important you have stringent anti-fraud processes in place for every invoice, no matter how small.
Here are several ways to prevent fake email fraud:
This is a more difficult form of fraud for people to pull off successfully. That means it’s a more challenging form of fraud for your team to defend against, as it’s less obvious. If you receive an email from email@example.com, many internet savvy people will say, “That’s not right since no legitimate company uses gmail as their company email provider without attaching the business domain name to the end.”
However, what if your team receives an email from firstname.lastname@example.org asking for a payment? Or even worse: email@example.com? Fraudsters carry out this form of deception by getting the email passwords for a company’s official accounts in some way. They may do this through keylogging (installing software that records keystrokes and sends them to a third party) or social engineering of some kind.
Point is, just because the invoice comes from a “safe” email account doesn’t mean you can let your guard down.
However, there IS some good news: even if a company sends you a fake invoice from a real email address, any payment you make would go to the legitimate company in question. As in, you have a “safe” bank account or credit card that you make payments to.
Even if fraudsters have a company’s email account, they’ll need to give you a new payment option before they can profit from their exploits. Which brings us to our third (and final) form of fraud….
This is the most crucial form of fraud to be aware off … why?
This is the form of fraud that actually takes your money away from you. The other forms of fraud are just setups – this is the final blow.
The Computer World UK article states:
“In this attack, an organisation is phoned up or sent a spoofed email from someone claiming to be from a company they do business with, informing them of an office location or bank account switch and that future invoices should be re-directed.”
This form of fraud is particularly nefarious because you may not realize it at first. It’s possible for weeks to go by and multiple payments to be made before your team realizes they’re being deceived.
And the office change in question may be legitimate. Maybe your supplier actually did set up a new office location, but the person on the phone or sending the email might not be from your supplier.
This is the most important type of fraud to prevent.