Invoice fraud is a serious and growing problem. The primary target? Small to medium-sized businesses that don’t have robust fraud prevention systems in place that larger businesses might have.
Invoice fraud is now one of the most commonly used forms of digital fraud directed against businesses. As Hilton Baird Collections states in this article:
“According to the Tungsten Network research, more than half of businesses (54%) now see invoice fraud as their single biggest threat.”
The American, UK and Australian governments have given official warnings about the issue. Invoice fraud is what internationally acclaimed author Nassim Nicholas Taleb would call a “black swan” event. A black swan event is an unlikely occurrence that most people don’t expect that has very large consequences.
For example, the 2008 financial meltdown was a black swan event. Taleb makes the point in his book “The Black Swan” that most people don’t think about black swans prior to them happening, making their effects all the more severe.
But surely, while common, invoice fraud is for small things like office paper or pens, right? Unfortunately, that is not the case. Businesses are paying quite large sums of money to invoice fraudsters, with little or no hope of ever recouping the money.
As a Computer World UK article states:
“Two businesses that complained of invoice fraud were said to have lost sums around the £1 ($1.5 million) million figure each.”
And once the fraudsters have the money, they very quickly wire it out of the country. So, even if the fraud is identified immediately after the payment is made, it’s often too late. That’s why it is extremely important to prevent invoice fraud in the first place … the consequences of not doing so are severe.
Most invoice fraud doesn’t take the form of cyber hacking or anything as exotic. Instead, fraudsters use social engineering – taking advantage of human nature.
As the Computer World UK article states:
“While the fraudsters often exploit weaknesses in technology to attack businesses, the biggest flaws are always human and result from a lack of awareness, training, poor systems, policies and checking.”
With that in mind, our goal with this article is to offer several ways you can prevent invoice fraud from happening in the first place. These prevention tactics rely mostly on best operating practices that can be implemented into your business. It’s crucial these practices are put into place each and every time your company pays an invoice, no matter how sure your accounting team is that the invoice is legitimate. Because after all, it only takes one slipup to lose a lot of money.
You want to have the same mindset as fighter pilots and surgeons: Use your checklist and let it protect you.
Surgeon and author Atul Gawande makes the point in his popular book “The Checklist Manifesto” that checklists are not a sign of stupidity or simplicity. Instead, checklists are the sign of a very intelligent person who realizes the flaws in their own human nature and takes steps accordingly to protect against downside.
If checklists work in the life or death situations of fighter pilots flying and surgery, they can work for you in your small or medium-sized business.
Fraud Tactic #1: They’ll Invoice You From a Fake Email Address
This relatively simple method of invoice fraud relies on two things:
- A lack of attention to detail
- Overworked and backed up accounting teams
Basically, this method of invoice fraud will involve a fraudster researching your business. They’ll figure out:
- How big your company is (large companies are less susceptible to fraud)
- What kinds of supplies you regularly order (paper supply fraud anyone?)
- What companies you normally order supplies from
- What your busy season is/when your accounting team is likely to have many unpaid invoices outstanding
Then they’ll create a fake invoice for a thousand pounds or so. The email will claim the invoice is 90 days late and MUST be paid immediately, adding to the stress level of your accounting team (especially if you legitimately have many unpaid invoices to catch up on).
Let’s say you normally order supplies from Paper and Pens Co. Their email domain is firstname.lastname@example.org.
The fraudsters might email you from…
Or some other similar variation of the normal email address.
How To Prevent Fake Email Fraud
Since this is a relatively simple type of fraud, it is relatively easy to prevent – IF you follow a checklist each time an invoice is paid. This type of fraud in particular will often involve small amounts of money that may not require as much scrutiny as other, bigger invoice payments.
That’s why it’s very important you have stringent anti-fraud processes in place for every invoice, no matter how small.
Here are several ways to prevent fake email fraud:
- Make sure you have the official invoicing email address on file for each partner and supplier you work with checking the email address with your invoicing emails each and every time you pay a supplier.
- Use a a platform where you can send electronic POs and receive invoices online. Require suppliers and partners to comply with the requirements so that only the suppliers onboarded on the system can actually receive/send documents to you.
- Create a company culture (at least in the accounting department) that emphasizes doing things the RIGHT way instead of doing things the FAST way. This may be the most important point for fraud prevention in general.
Often, fraudsters are able to succeed because people are cutting corners. This is understandable in the busy season, but it is also very preventable. Don’t let your accounting team down by making them work with old technology and manual data entry. This will only cause confusion, lack of actionable information and overpayments.
Fraud Tactic #2: They’ll Hack a Legitimate Company Email Address and Invoice You
This is a more difficult form of fraud for people to pull off successfully. That means it’s a more challenging form of fraud for your team to defend against, as it’s less obvious. If you receive an email from email@example.com, many internet savvy people will say, “That’s not right since no legitimate company uses gmail as their company email provider without attaching the business domain name to the end.”
However, what if your team receives an email from firstname.lastname@example.org asking for a payment? Or even worse: email@example.com? Fraudsters carry out this form of deception by getting the email passwords for a company’s official accounts in some way. They may do this through keylogging (installing software that records keystrokes and sends them to a third party) or social engineering of some kind.
Point is, just because the invoice comes from a “safe” email account doesn’t mean you can let your guard down.
However, there IS some good news: even if a company sends you a fake invoice from a real email address, any payment you make would go to the legitimate company in question. As in, you have a “safe” bank account or credit card that you make payments to.
Even if fraudsters have a company’s email account, they’ll need to give you a new payment option before they can profit from their exploits. Which brings us to our third (and final) form of fraud….
Fraud Tactic #3: They’ll Ask You to Change Where You Pay a Company’s Invoices
This is the most crucial form of fraud to be aware off … why?
This is the form of fraud that actually takes your money away from you. The other forms of fraud are just setups – this is the final blow.
The Computer World UK article states:
“In this attack, an organisation is phoned up or sent a spoofed email from someone claiming to be from a company they do business with, informing them of an office location or bank account switch and that future invoices should be re-directed.”
This form of fraud is particularly nefarious because you may not realize it at first. It’s possible for weeks to go by and multiple payments to be made before your team realizes they’re being deceived.
And the office change in question may be legitimate. Maybe your supplier actually did set up a new office location, but the person on the phone or sending the email might not be from your supplier.
This is the most important type of fraud to prevent.
Here’s how you can prevent “change of location” fraud:
- Whenever you change the form of payment or the account details with which you pay a supplier, you MUST have AT LEAST two parties from that supplier confirm the change.
- Make sure you NEVER change payment details, whether through email or phone, immediately after a supplier says they have a new location. Instead, you must initiate emails or phone calls to multiple people within that new company, asking them for confirmation.
- Don’t simply confirm the office location change: confirm the EXACT new bank account where your payments are being routed to.
- If a company has just called you to ask for a new payment option, wait at least 10 minutes before calling them back. Apparently, criminals can “hack” your telephone call and pretend to be the company – regardless of what number you call – if you call within 2-3 minutes of hanging up on the fraudsters.
Invoice fraud is serious. It is also very preventable. By following the tips in this article, you can keep your team safe from fraudsters and their nefarious activity.