Invoice fraud and how to identify it, by John Mc Loughlin, MD J2 Software
Invoice fraud is considered a low-risk crime by fraudsters and is increasing at alarming levels because it is difficult to trace. Difficult, but not impossible!
What is invoice fraud you may be wondering? Well, it's what happens when a genuine invoice is altered to get a customer to pay for goods or services but into the wrong account. It's done by duping the customer (victim) to change bank details on their system - sometimes via telephonic instructions but mostly via email. The customer then thinks they have settled their invoice, though they have in fact paid this into the fraudster's account. In just two weeks my company saw two incidents of invoice fraud with my clients. Here's my take on how to identify and avoid invoice fraud.
How it happens
Without insider assistance, this type of fraud is very difficult to perpetrate. This is another of the many examples of an "insider threat" which must be recognised and protected against. Invoice fraud is usually only noticed when the customer argues that they have already paid the invoice, even though payment has not been received by the service provider. Despite being innocently duped into doing this, the fact of the matter is that the business is still liable by not having adequate systems in place augmented by user awareness programmes aimed at preventing this from happening.
If an employee changes a supplier's bank details without final authorisation and verification - this should be seen as negligence on the part of the business for enabling this crime to happen.
To get started the fraudster needs internal knowledge of the relationship between the victim and the supplier. This insider information is gained through numerous methods where your insider provides the information on an email, inside a chat or by copying data to a USB. Sometimes the fraudster is an individual who works in the business.
Armed with this insider information the fraudster will get in touch with the supplier, requesting copies of outstanding invoices and statements via email. The fraudster will use a free public email service and adjust their display name in order to cover up their true identity and appear to be sending the request from the customer. The invoices are then sent to this fake address. The fraudster will then simply "copy" these invoices and send them on to the customer (victim). The invoices are similar in appearance, with the only major difference being the changed bank details. Once the copied invoices are sent to the customer, along with any other fake documentation, the systems are updated with the fake bank details and the fraudster then simply waits for the invoices to be paid.
From personal experience, every fake invoice I have seen has been a really poor copy that somehow appeared to go unnoticed. The fake copies will have several inconsistencies, such as incorrect spelling, poor layout and blurred logos. The frames are different and the invoice just appears out of alignment. A business spends a lot of time ensuring their invoices are professional and correctly laid out, whereas a fraudster simply throws them together. Upon inspection of the accompanying "bank" letters created by the fraudster you can easily notice problems. However, because there is little to no user awareness at most companies, discrepancies are ignored. The letters will also often include a threatening tone about paying into the new account or facing charges and penalties.
Once a payment is made the fraudster simply cleans out the account and moves on to their next victim.
How to stop it
With strong authorisation processes in place this cannot happen. Business today cannot ignore these challenging threats, as they stand to suffer reputational damage and will also have the inconvenience of having to log police cases and try and chase their money - while still being burdened with the outstanding supplier debt. The original cost of the invoice could easily be tripled, or worse, to have the problem rectified.
It is vital that businesses have security driven into the DNA of their companies and users must be the guardians of information.
In the event of a change of bank details request there must be a data security and compliance step before this is done. In both cases cited, had the customer simply done a telephonic check or even email verification to the registered supplier email address they would not have suffered the loss. They already have the correct contact details and know the correct people working at their suppliers and yet they take shortcuts, make mistakes and create losses. This is why policies, monitoring and focussed awareness are all crucial to the ability to reduce risk and cut losses. A simple poster in a lift is not awareness. Companies may say and even think that they take information security seriously but then don't track the actual activity taking place at the end point. Don't wait until it's too late.
In my next article on invoice fraud I will outline seven preventative steps that you can put into place to guarantee that your business will not be the next victim.
About John Mc Loughlin
John Mc Loughlin is the founder and MD of the J2 Software group of companies. He has been involved in leading technology solutions for over 15 years and has consulted around ICT polices, enforcement, productivity improvement, cost reduction and data loss prevention to many organisations in South Africa and beyond.