Invoice fraud, when a genuine invoice is altered to get a customer to pay for goods or services but into the wrong account, is increasing at a rapid rate, and while it is difficult to trace it is not impossible. In this guest article, John Mc Loughlin, MD of J2 Software, explains seven practical steps you can take to prevent invoice fraud from happening to your business.
The seven steps are simple and cover training, attention to detail, verification, cross-checking alleged changes, checking for discrepancies, communicating with your suppliers, and managing your environment. Each is discussed in turn.
1 - Training
Provide awareness refresher courses to staff who work in finance and bear the responsibility of changing and approving bank details for customers or suppliers. This training must be specifically focussed on showing them what to look out for.
2 - Attention to detail
Check the paperwork - it only takes a few seconds to stop what can amount to damages to the tune of hundreds of thousands of Rands.
Check invoices and supporting documents, such as bank letters. For example, understand that with regards to a document with a bank stamp on the scanned document, you cannot see the text through the stamp's ink. If you can, it is fake. The ink of the stamp would mask the text underneath it. Banks do not send out documents laced with errors, so ensure that copies of invoices and bank letters stand up to scrutiny. Also, banks do not send paperwork with faded or low-quality logos, so a blurry logo can be further evidence of fake paperwork.
Another important part is to have a look at signatures. In the most recent fake document case in which my company was asked to consult we noticed that the signatory was a lady with that surname Van Wyk, though the signature was clearly not the same name. It is extraordinary that nobody noticed this or questioned it.
Ensure your staff check the basics. In doing this you can remove 99 percent of the probability of being a victim of invoice fraud.
3 - Verification
Verify the actual address that the email came from - it takes just five seconds to ensure the email address is correct and is not simply a changed display name. If your existing supplier sends from a specific domain and the one you have now is different, it is fake. For example, if your supplier uses a .co.za domain and the email comes from .org, it is fake.
4 - Cross-checking alleged changes
Always verify the changes requested by a minimum of two channels - some people still use faxes - but confirm via telephone and email. The small inconvenience is worth it. Ensure you use the contact details you already have - not any supplied on the new documents - and make certain that you are speaking to the correct point of contact at that supplier. I suggest you have a designated single point of contact at all suppliers.
Ensure that your company's process is clear about changes and implementing these, so that staff know what process to follow, what action to take, and when to raise the alarm.
5 - Checking for discrepancies
Ensure continuous awareness for staff who work with invoices to be on the lookout for changes or discrepancies. I also suggest that all users have protective monitoring as part of the security strategy of every business. Protective monitoring and behavioural analytics reduce risk and improve compliance.
6 - Communicating with your suppliers
Ensure that your suppliers are aware of the process your company follows to change bank details. Stick to this process at all costs. I assure you that your suppliers would rather wait a few extra days than have their payment go into somebody else's bank account.
7 - Managing your environment
Ensure you manage the environment and have a solid layered security approach covering anti-virus and email protection. This will ensure that users do not accidentally install malware or key-stroke loggers. Also, ensure you can identify changes to user behaviour and application usage.
If you do become a victim of invoice fraud, make sure you can identify how and where the process failure happened to ensure that it never happens again.
About John Mc Loughlin
John Mc Loughlin is the founder and MD of the J2 Software group of companies. He has been involved in leading technology solutions for over 15 years and has consulted around ICT polices, enforcement, productivity improvement, cost reduction and data loss prevention to many organisations in South Africa and beyond.
