How Your Staff Put Your Business at Risk of Invoice Fraud

Estimated Reading Time: 4 Minutes
Invoice Fraud – aka Beneficiary Change Request – is an increasingly common practice in today’s world. The increasing reliance on email communications has made Businesses much more vulnerable to Cyber Criminals and Social Engineering practices. Moreover, this Cyber Security incident easily bypasses your Anti-Virus or Firewall protection – instead, it relies on your staff and on how well-trained they are to recognise the threat.

Another common type of Fraud that has gained popularity over the previous years is the CEO Fraud, and you can read about it and educate your staff here.

What exactly is Invoice Fraud?

In this fraud scenario, a Cyber Criminal will pretend he is a reliable player and will seek to redirect payments. Typically, they will mimic the identity of a known supplier and communicate directly via email to the person in your company responsible for managing expenses.

There are cases in which the supplier’s email accounts have been compromised, and others in which criminals are using “spoofed” accounts, which appear as if they are coming from a trustworthy address. Learning to identify a suspicious email is one of the best ways to address this topic, and we have an article about it here. Reading this and sharing with your staff is a good start.

The content of this message is the vector of attack. What, on the surface, looks like a legitimate communication regarding financial details, may be a case of Invoice Fraud. Often, the criminal will pose as a new account manager working at a partner company and inform your staff that their banking details have changed. Usually they’ll not even ask for money right away – to make things subtler.

Instead, they will patiently wait for the period that businesses usually pay their invoices and it could take a long time for everyone involved to realise what has happened.

How does Invoice Fraud happen? – An Example

Emma, a member of the accounts payable team, receives an email from John – a known contact for a supplier. The email notifies Emma of a change in banking details, in a polite and formal tone. Emma replies asking for telephone confirmation, which is required according to company policy.

John responds to say that he is on a business trip but that his colleague, ‘Brian’, is managing confirmations in his absence. Brian then calls Emma, confirms the request to change the banking details and sends an invoice – which Emma pays to the new bank account.

A few days later, Emma receives an email from John requesting payment for this same invoice. Emma immediately rings John and discovers that their bank details have not changed and that no Brian works for the company. It is only then that they discover they have fallen victim to Invoice Fraud and the money is gone.

Please Note: this type of fraud can and often is accompanied by additional telephone communications, which only serves to make it appear much more genuine. Do not underestimate how sophisticated and patient fraudsters have become.

In these situations, it can be hard to pinpoint who is at fault for the money loss. If the email account used to communicate the change of details was compromised, then people may want to hold them accountable for the breach. However, in the end, it always falls to the organisation who is making the payment to have robust confirmation policies and ensure that they are communicating with legitimate company contacts.

How to Avoid Invoice Fraud

As previously mentioned, Anti-Viruses and tools will only do so much to protect you. A Cyber Security company can do a lot for your business, but an email inbox cannot be 100% secured. Indeed, while an inbox should have filters and protection, there always has to be an opening for new, seemingly secure emails – or the whole point of the channel becomes lost.

Therefore the best defence against this threat lies in staff training. Learning to identify a suspicious email is crucial as it will not only help to prevent Invoice Fraud, but it will protect your company against a wide variety of Cyber Attacks.

As employees are educated on this type of fraud, payment policies should also be reinforced. The following points should be standard procedure among transactions:

1. 1. Validate all change requests you receive beyond the channel they came from. Go to the company’s official website (don’t click on links from a suspicious email) and look for contact information, preferably telephone numbers.
2. 2. Create your own customer, supplier and payee profiles.
3. 3. Independently confirm requests with established approved contacts to verify any transfer requests.
4. 4. Beware of requests for immediate or urgent payments. Watch the language and tone being utilised and verify the sender’s identity.
5. 5. Keep track of your invoice routine and don’t merely pay something as soon as it comes up. Confirm all details verbally and in writing with the responsible parties.
6. 6. Send a test transaction, with a small value of money to the new account and confirm receipt with the legitimate beneficiary.

Armed with this knowledge and by being made fully aware that they are the most common targets, your employees should be able to avoid being tricked by any potential Cyber Attacks. Remember, don’t hesitate in educating your staff – these threats are happening every day.

Here at Spector, we can provide this training to your staff as part of our Cyber Security offering. Education, evaluation and occasional phish tests are conducted to ensure that your staff are being vigilant and able to identify any suspicious communications. This is only part of the service included, and if you are interested in discussing this in greater detail, please feel free to contact us.

We will be able to answer your questions and have a better understanding of your needs. For more details on how we operate, read our Brochure Cyber Security Gap Analysis – it explains how the process begins and the first steps we will take to mitigate your technology risk.

Thank you for reading.