Invoice fraud can occur in one of two ways. The scammer can either pose as a regular supplier of yours and send fake invoices to you, or the scammer can pose as you and send fake invoices to your clients using their own bank account details, phone number and email address.
Invoice fraud typically works by the criminal hacking into the business’s email accounts in order to gain valuable security information involving the company, their clients and suppliers. The hacker will then look for details such as when regular payments are made and when invoices are sent to customers. Once they have collected the relevant information required to create invoices, they will then clone email addresses and invoices in a way that mirrors your emails in terms of structure, writing and appearance to try to impersonate you for legitimacy.
Recognising invoice fraud
If you suspect you are being targeted, here are a few tips on how to detect a scammer and potential invoice fraud:
- Check the invoice sender’s email address as scammers tend to change these, even if it’s just swapping a letter or adding a number. Make sure the email address is an exact match to the one you have on file for this contact.
- Check that all of the contact details on the invoice match all the details you have on file from previous invoices.
- Monitor and check your invoices carefully, and compare any recent or new ones to previous ones that you know are genuine. Look out for spelling mistakes, slight dierences in layout or text/font and logos that may be slightly blurry.
Preventing invoice fraud
As for protecting your business from invoice fraud, the most important thing to do is ensure all staff are aware of the signs and risks. All companies are vulnerable to many different types of fraud, both internal and external; to specifically prevent invoice fraud follow these steps:
- Only give trusted and relevant staff members access to invoices and sensitive information and monitor how this is handled on a regular basis.
- Make sure all staff that process and deal with invoices do so in a careful and vigilant manner – particularly when changing any bank details.
- Have staff constantly look out for irregularities when processing invoices.
- Always use different passwords across your accounts and devices, as well as multi-factor authentication where possible. Also be sure to regularly change passwords and store them in a safe place to make it difficult for scammers to access them.
- If you receive any requests from suppliers regarding changing the invoiced amount or bank details, reach out to a trusted contact that you personally know from the company to check that it is legitimate. Don’t use the contact details provided in an email or on the invoice, always use details you have on file.
- As soon as you have paid an invoice, ensure you contact the relevant supplier to confirm that you have made the payment and specify to which bank account it has been made. Always do the same when you are sending out an invoice to a client or customer to confirm the payment amount and specify the correct bank details you would like them to use.
- As fraudsters and criminals often research a company prior to committing invoice fraud, it is crucial that you remove any information from your website that could potentially assist in their activity. Only have information public that you feel is extremely necessary.
- Before making any kind of payment or transaction, always think carefully and take the time to properly analyse all invoices, emails and requests so that you don’t rush into making a dangerous decision.
Alan Blaney is the owner of Focus Training (UK), which specialises in providing training relating to risk, security, intelligence analysis and fraud prevention. Focus Training provides fraud prevention and detection training courses to businesses to ensure they remain aware of any potential security risks. Its clients include government departments and multinational corporations, as well as hundreds of other companies across the UK.