You may have heard of invoice fraud, maybe not. Perhaps a headline buried somewhere in the business section of the morning news. Conversely, you have heard of Google and Facebook, companies that in 2019 paid out US$23 million and US$100 million, respectively, as victims of that same invoice fraud scam technique (which can also be known as business email compromise). If they’re susceptible targets, what about your company?
Invoicing fraud is on the rise. Yet, according to a survey by banking trade body UK Finance, more than four in every ten UK businesses are unaware of the risks posed. In fact, tracking the volume of Google searches for the term “invoice fraud” over the last 5 years shows no great change.
But, with almost £93m stolen from UK businesses through invoicing fraud in 2018, ignorance is no defence. If you’re not looking out for invoice fraud or any of its major variants (the list is growing fast), you may actually be making your company a more attractive target.
UK Finance surveyed 1,500 businesses across the UK and found that only 55% of sole traders were aware of the threat of invoice fraud. This percentage increased when talking to larger businesses, with 68% of small businesses and 84% of large businesses aware of the threat of invoice fraud.
As the Google and Facebook examples illustrate, this is not just a UK problem. Statistics from the Internet Crime Complaint Center (IC3), international law enforcement complaint data, and filings from financial institutions on invoice fraud and Business Email Compromise between October 2013 and May 2018, paint a troublesome picture:
- (US) Domestic and international incidents: 78,617
- US) Domestic and international exposed dollar loss: $12,536,948,299
And those are just the reported incidents; The actual total could be much worse.
What is Invoice Fraud and How Does it Work?
Invoice fraud, sometimes called invoice redirection fraud, is a scam whereby the perpetrator injects false payment instructions into an otherwise legitimate invoice. This can often happen because the original invoice was intercepted, modified and then supplied to the intended recipient — something that can happen through email compromise or social engineering, which can actually result in insiders unwittingly abetting the perpetrator. Consequently, invoice fraud is hard to spot.
In some instances, fraudsters pose as an existing supplier or business partner and request changes be made to payment details on their account. Invoice fraud attempts conducted in this manner are often accompanied by supporting details (e.g. date when regular payments are due) to make their approach more convincing.
This approach is referred to by many names, including mandate fraud, creditor fraud, payment diversion fraud or supplier account takeover fraud. Unlike many cyber-crimes, which cause reputational or competitive harm (like the hack of US credit rating agency Equifax, which exposed the data of 143 million people), invoicing fraud results in immediate, generally irreversible financial loss.
According to statistics from Action Fraud, the UK’s national fraud and cyber-crime reporting centre, the average loss from mandate fraud has risen by 24%, to £27,756 in 2018/19, from an average loss of £22,405 in 2017/18 and £20,791 in 2016/17. The total cost to UK businesses is reportedly 28% higher than in the previous year. Scary times indeed.
How Can You Protect Against Invoice Fraud?
With so many variations on this type of cyber-crime, the idea of preventing invoice fraud may seem challenging at first, even daunting. Much of the advice available is about multiple layers of checking and validation before approving invoice payments. However, there are easier ways to ensure you do not succumb to this criminal tactic:
- While technology has to a large degree enabled invoicing fraud, it can also be your first line of defence in protecting against it. Using an electronic invoicing solution (e-Invoicing), such as Netsend, suppliers can issue invoices which reside in a secure online portal. The benefit of this is that customers have one secure online location to visit and pay each invoice; they can rest assured that any invoice located in this portal will not have been tampered with and payment will reach the correct recipient.
- Further validation and security can be provided through the use of digital signatures, confirming authenticity of sender and veracity of content. The use of digital signatures is supported by eIDAS (EU Regulation 910/2014), providing further reassurance when used to verify sensitive documents such as invoices.
- Awareness and vigilance internally will make any potential threat much more difficult to perpetrate. By simply communicating with employees about invoice fraud and how it works, or including it as topic in security training, they will be more aware when unusual invoicing changes like payment terms or new banking and address information crop up, and know what to do about them.
These simple steps can eliminate the risk of external invoice fraud — or even that from within, like this recent example which affected Airbus to the tune of £131,000.
It pays to bear in mind that in the invoicing fraud cases of Google and Facebook, they got their money back. Your company may not be so lucky.