There's an ongoing financial fraud wave impacting both small businesses and global corporations, engineered by equally well-organised criminal groups with their own hierarchies and partner networks. One of their most effective weapons is the invoice fraud scam, and it's lucrative. Sending fake invoice payment requests to companies yields impressive returns, costing UK businesses £81 million and Irish businesses €6 million in 2021. To put that into perspective, false invoicing represents an average cost of £2,100 to every business.
Creating fake invoices is just one of the many common scams targeting small businesses, but the good news is that securing your payments system from attacks doesn't require excessive human or financial resources. Here's how the scam works and what to do to patch your weaknesses.
What is invoice fraud?
Also known as invoice redirect fraud or business email compromise (BEC) fraud, the scam starts with an innocuous email in the inbox that appears to be from a supplier. It announces that the supplier has changed banks and needs to update their banking details. They provide a new IBAN or BIC for the accounts department to enter into their payments system.
Unfortunately, behind the sender name there's a scammer. The email is not from a trusted supplier and the bank account details are probably for an overseas account linked to a criminal organisation. The next time a genuine invoice arrives from the supplier, the target business will make a payment in good faith, not realising anything is wrong until an invoice reminder or phone call chasing a late payment comes from the actual supplier after the usual 30- or 90-day payment period.
The tricks of the false invoice trade
Invoice fraudsters will spoof email accounts to look like genuine messages from authentic suppliers. The email footer information and signature are easy to obtain online. More sophisticated fraudsters will use malware to hack into the payments or email system of the victim business. This allows them to intercept and hijack ongoing email threads with suppliers.
Hacking into a business of any size is surprisingly easy. All it takes is for an unwitting employee to click on an attachment, or a staff member to use their work phone or laptop on an unsecured wifi network at home or while commuting.
Professional organisations use social engineering too. They can easily collect important supplier information from your business website and social media pages, or even have delivery staff or temporary workers passing on information posted on notice boards or left on desks.
Why the false invoice scam works
On the one hand, businesses are under pressure to keep existing suppliers happy. Maintaining strong supplier relationships is an important aspect of business growth. Research by McKinsey shows that businesses who regularly innovate in supplier development significantly outperform those that don't, by as much as 4.9%. Paying invoices quickly is one way to delight suppliers.
On the other hand, businesses of all sizes are feeling the pinch from price hikes. That makes them more likely to shop around for better deals in an effort to cut costs. Nine out of ten would switch to a new supplier if there were savings to be secured. That means account teams are accustomed to updating payment details regularly without arousing their suspicions.
How to identify fake invoice payment requests
It's not just the accounts payable personnel who need to be on the alert for invoice redirect scams. The bogus request might be sent to a sales rep, receptionist or account manager first, knowing that they will forward it to accounts and add a veneer of legitimacy in the process. Here's what to look out for:
An email from a supplier that doesn't use the usual sender address.
The email is not personalised (no salutation).
There may be odd formatting or spelling mistakes and curious turns of phrase.
What are the risks and who is liable?
Invoice fraud can put serious pressure on cash flow for small businesses in particular, and deliver reputational damage for businesses of any size. Alarmingly, the scam is still slipping under the radar. While bigger corporations with dedicated finance departments are generally aware of invoice fraud, just 55% of sole traders and only 68% of small businesses were familiar with it, according to a UK Finance survey.
If you discover that your business has been targeted, contact your bank to recall the payment immediately, and file a report with Action Fraud in the United Kingdom or to the local Garda station in Ireland.
Unless the allocation of risk is clearly articulated in the supplier contract, establishing liability and recovering lost funds can be a complicated process. Ultimately, the bank, business, supplier and insurer will have to evaluate the fraud on a case by case basis. Do not assume that your bank will be able to recall any transfer, or that they will automatically refund the misdirected funds.
How to protect your business
Whether your business has a dedicated accounts department using automated software or a single person responsible who processes payments manually, fortify your system with these steps:
For any request to update payment details, insist on contacting the supplier to confirm. Use the information you have in your system, not the information provided on the email request, which will inevitably be bogus.
Check any IBAN or BIC online to see where the bank account is registered.
Keep employee devices up to date with antivirus software and firewalls, especially where staff are working from home, and establish clear policies for downloading attachments or software.
Have a robust peer-reviewed system for approving payments. It may add to the dreaded business “friction” but an extra pair of eyes leaves less opportunity for scammers to slip through.
Don't leave it until the end of the financial year or quarter to review your supplier details or cash flow. This scam relies in part on the 30- or 90-day breathing space to go undetected.
Finally, if you are exchanging money, always use regulated solutions. CurrencyFair is fully licensed and regulated by the Central Bank of Ireland. As a regulated foreign exchange platform, CurrencyFair uses two-factor authentication, encryption via SSL, segregated accounts, thorough verification and multiple other safety measures to ensure all transfers through our service are as secure as possible. See here for full details of our security procedures.
With our thorough security checks in place, your business' money is in safe hands.
Send money abroad quickly and securely with a CurrencyFair business account.
This information is correct as of May 2022 This information is not to be relied on in making a decision with regard to an investment. We strongly recommend that you obtain independent financial advice before making any form of investment or significant financial transaction. This article is purely for general information purposes. Photo by Mikhail Nilov.