Invoicing fraud is growing at an alarming rate. It occurs when a customer is fraudulently led to believe that a payment needs to be made for goods or a service into the wrong account.
This is done by duping the customer (victim) to change bank details on their system. This can be done telephonically or by email. The latter is the most popular method. The customer believes that they have settled their invoice when in fact they have paid funds into the fraudster’s account.
This type of fraud usually goes unnoticed until the supplier contacts the customer following up on payment of the invoice. The customer duly provides proof of payment only for the supplier to confirm that they have not received the payment.
Despite being innocently duped into doing this, the fact of the matter is that the business is still liable for the invoice by not having adequate systems in place which would have prevented this from happening.
Interpol describes this type of fraud as criminals hacking into email systems or using social engineering tactics to gain information about corporate payment systems. They then deceive company employees into transferring money into their bank account.
A large timber supplier in Pietermaritzburg were victims of invoicing fraud in 2016.
The victim was emailed by a trusted supplier requesting an urgent payment of their invoice and advising the victim of a change of banking details. The victim acknowledged the change of banking details and advised that payment would be made as soon as possible. The victim was sent an invoice amounting to R1.6 million and payment was urgently needed by the supplier.
Several days later, the victim requested the new banking details as payment was due to be made and the supplier sent through the documentation. The victim further emailed the supplier to confirm that banking details and the supplier verified the details.
Several days later the actual supplier contacted the victim querying why there has been a delay in payment. The victim responded saying that the payment was made into the new bank account as requested. The actual supplier then called the victim to explain his email account was hacked weeks earlier and there has not been any change in their banking details.
Upon the realization that the victim has become a victim of invoicing fraud, the victim contacted their bank and requested that the bank stop the funds from being released. Luckily, the bank informed the victim that they are able to stop the funds from being released. The victim sent through new payment instructions and were awaiting a copy swift and they are requesting debit authority from the fraudulent party.
This was an ongoing battle for the victim but thankfully, they were able to recover most of the money from the fraudulent party.
How does it happen?
Fraudsters are using phishing emails to steal usernames and passwords. This allows them to hack your personal or business email accounts. Phishing attacks are getting more difficult to detect as hackers, fraudsters or malicious users are becoming smarter in the way they execute these attacks.
They usually troll and monitor your email account for months or even years until an opportunity to intercept an invoice is presented to them. Once they can see that a large transaction is about to take place, they will spring into action.
The scammers intercept an email, change the bank details on the invoice and send it on for payment. In many cases, they use spoofing to make the email address seem credible and trustworthy. Spoofing changes a letter or domain in the email address to make it appear legitimate. This is often overlooked as users are not made aware to look out for any fraudulent activities.
The recipient pays the invoice thinking it comes from a legitimate source, when in fact the money is paid into the scammer’s account. This often occurs without the recipient even noticing anything out of the ordinary.
What are the consequences?
This is a very tricky situation as no party will want to take responsibility for the fraud. The customer will state the he or she received an invoice with the details originating from the service provider and will be reluctant to want to claim responsibility. The service provider will argue that they will not take responsibility as they did not send the new invoice and have not received the funds.
Troy Chiocchetti of Quattro Finance Group states that the consumer has the responsibility to keep his/her banking details and passwords safe. Banks have an obligation to protect the information of their consumers , provide secure mechanisms for banking and where a fraud has been committed, to mitigate your loss and act swiftly.
Should it fail to do so, it could be responsible to refund the entire amount stolen.
Banks cannot reverse the transaction without the consent of the account holder. Should the beneficiary fail to repay the monies, an action for unjustified enrichment may be brought in civil court for the recovery of the value thereof.
I have paid the money…
If you have become a victim of this type of fraud, Interpol recommends you do the following:
- Gather all documentation regarding the transaction and emails/invoices received and it is vital to report the incident as soon as possible to local authorities;
- You must immediately alert your bank to the fraudulent transaction. The bank should immediately try to re-call the funds; and
- Victims must consider consulting a civil lawyer in the country where the money was deposited (country that houses the new beneficiary’s bank account). This might be of help to address the bank in trying to recover the money and/or launch a civil complaint regarding the account holder.
Mitigate your risks
We are all aware that prevention is better than a cure. If you can prevent this from happening, you should be doing everything in your power to make sure this never happens to you.
Interpol recommends doing the following:
- Protect your corporate systems from hacking attempts.
- Use anti-virus software, firewalls and other tools and scan computers and devices regularly to prevent malware infections.
- Keep your personal and business computers up to date. Pay attention to security alerts, update security patches, conduct periodic systems checks.
- Make sure that your email accounts are well protected and don’t share passwords.
- Do not click on attachments or links you are not expecting, even if they have innocuous sounding names (invoice, for example). They often contain malware giving access to monitor your email/computer activities.
- Enable spam filters and block all access to suspicious or blacklisted websites.
- Be vigilant of suspicious or unexpected ‘urgent’ payment requests or changes
- Look carefully at the sender’s email address. Criminals often create an account with a very similar email address to your business partners so keep your eyes peeled!
- Spread the word so any colleagues dealing with bank accounts are aware of the scam.
- If you receive an email concerning a change of payment method or bank account, contact the payment recipient through another channel (phone) to verify this claim. Do not reply directly to the email.
- Verify the authenticity of websites before providing any personal or sensitive information.
GTconsult recommends the following action:
- Enable multi factor authentication;
- Have you banking information verification pack ready and available for all customers;
- Make sure you have enabled phone verification;
- Make sure mail accounts have impossible travel setup;
- Make sure auto forwarding rules turned are off;
- Setup SPF, DKIM and DMARC to improve email authenticity. We have a blog on how you can enable that here.
Seek professional advice.
Many companies now offer cyber insurance. Cyber insurance offerings may differ between companies; however, they are mainly focused on covering your computer systems, software and data, and protect you against liability arising from cyberattacks on these asset.
In addition to the attacks listed above, electronic payment transactional fraud is covered by certain insurance providers.
It is worth looking into as this type of fraud and realising that it is on the rise and will only get more sophisticated in the near future.
In addition to having cyber insurance, having a lawyer on hand to assist when you have a breach or if you are facing a fine or civil action is highly recommended.
We recommend that you take a proactive approach and run phishing campaigns. Further, you should educate your staff and be vigilant to prevent this happening to you.
If you educate your staff on what to look for, and how to spot a suspicious email or invoice, you will drastically reduce your vulnerability. We also recommend following Microsoft’s best practices to increase your Office 365 security. We have a guide here on how to can increase your Office 365 Security here.
Running regular phishing campaigns across your organisation will also show you if your staff are aware of the dangers and where they may need to be further educated.