cyber security IT Security IT support

Invoice Fraud

Invoice Fraud – What is it?

Fake invoice

Invoice fraud is when fake invoices are sent to targeted businesses in an attempt to extract money from companies with possible vulnerabilities in their accounts payable processes.  Although it is becoming more common over 43% of businesses still aren’t aware of it, nor the threat it poses to their business.  According to Barclays £93 million was lost to invoice fraud last year.

How is this happening?

This can be done in two ways – The scammer may pose and you and send fake invoices.  Or they may pose as a regular supplier of yours and send the fake invoices to you.

They obtain this information by extensive online research, identifying suppliers to companies and organisations.  They will look for details about regular payments, including frequency and amount.

For example, they may pose as a supplier to you and send a request to change bank details to the ones that they provide.  They may ask that you wait for your next invoice before you then change the payment details, so that when you receive the next genuine invoice at the usual time you don’t question it.  If you then change bank details and the payment goes ahead it can remain undetected for further payments or is only flagged up when the legitimate supplier chases payment.

If they pose as your company and send your client a fake invoice they may well do as above, or just send an invoice containing their bank details in the hope that it gets paid without question.  These invoices will have their own bank account details, phone numbers and email addresses.  This can be done either by email or by letter and is sometimes hard to spot.  Email addresses can be spoofed, or a PC infected with malware can allow criminals to access genuine email addresses.  Requests made by letter can be made to look convincing just by adding a good letterhead.  Both may be made more convincing if they copy the way you write and structure your emails and letters. 

We have also seen emails pretending to be from the Managing Director of the company and can appear to be sent from internal email addresses when in fact they are not.   This is often sent from an external email address.  It’s always worth a call to verify that they have requested any transfers.

Tips to help prevent invoice fraud.

  • If receiving a change of bank details either by email or letter always verbally confirm the changes with a trusted contact within that company. Speak to the member of staff that you would normally deal with.
  • Don’t use the contact details provided in the email or letter. Either check you records for contacts or check the company website if needed.
  • Ensure that your details and contacts names are also up to date with both clients and suppliers.
  • Keep your security software up to date to protect your data from hackers and viruses.
  • Inform your supplier that payment has been made, so that they can verify receipt if needed.
  • Communicate the risks to all staff so that they are aware of the signs. Set out a procedure for checking new bank details or invoices if needed.
  • Use 3 way matching to check each invoice against a purchase order and a receipt of goods.
  • Employ AP Automation so that the software can give you a quick detailed insight into your accounting activity.
  • Remember that fraud can happen both internally and externally.
  • Consider removing links to your suppliers from you company information or website, as this is an easy way for them to be identified.
  • Change your passwords regularly, and never use the same password for more than one account.
  • Enable multi-factor authentication on accounts where possible.

Below is a link to an invoice fraud leaflet and poster, that may be beneficial to highlight the issue to your staff.