A $122 million scam isn’t something you hear of every day. And yet, that’s what Google and Facebook lost to scammers through invoice fraud. Hackers sent them fake invoices impersonating a common supplier, managing to get paid on a variety of bank accounts.
To the inexperienced eye, signs of invoice fraud are easy to miss. Keep reading to find out how to spot invoice fraud before it damages your company.
Trustpair effectively blocks invoice fraud by continuously auditing supplier credentials and payments. Finance automation solutions are the most effective strategy to fight invoice fraud. Contact an expert to learn more!
How does invoice fraud work?
Definition of invoice fraud
Change in credentials is the number one cause of fraud in the US. To efficiently protect against theft, you need to clearly understand the risks of invoice fraud.
Here is how fake invoice scams work:
- An employee from financial services receives an email. Invoice scams usually target someone who’s authorized to make payments, but not too high up in the organization.
- The email is either requesting to pay an invoice to a known supplier but with “new bank account details”, or sends a bogus invoice for services not rendered.
- The unsuspecting employee makes the requested payment to what they think is their legitimate supplier’s bank account.
- In reality, this employee has just been a victim of an invoice scam. The person who contacted them committed identity theft to have funds transferred to their own bank account.
- Because wire transfer scams are quickly processed, the money is unretrievable. By the time anyone realizes something suspicious happened, the bank account has long been closed, and the scammer has gone.
The modus operandi for invoice fraud is always more or less the same, but cyber criminals are getting more and more creative in their fraud attempts.
Famous examples of invoice fraud
Between 2013 and 2015, a Lithuanian man and his accomplices sent invoices to Google and Facebook impersonating one of their suppliers, Quanta Computers.
Through an elaborate Business Email Compromise (BEC) scheme mixing phishing and invoice fraud, they managed to scam them out of 122 million dollars.
Fortunately, both companies were able to get most of their money back. The man was brought to trial in the United States and sentenced to 5 years imprisonment in 2019. In this case, it’s a happy ending. But financial and reputational losses are often non-recoverable.
What’s more, big corporations aren’t the only target of fake invoice fraud.
In 2018, the non-profit organization Save The Children was a victim of fraud through fake invoices. A hacker compromised one of their employee’s accounts to get access to sensitive information. With it, they proceeded to send fraudulent invoices under cover of an Asian project that was really taking place. The non-profit lost about 1 million dollars.
How can you spot invoice fraud? What are the signs of invoice fraud?
To protect yourself from invoice fraud, you must first be able to recognize it. Here are 3 warning signs of invoice scams to look out for:
- Email subject: often enticing and urgent. It draws your attention instantly, like “Urgent: change in bank account number”
- Email body: it gives different credentials than those you originally got (which is the point). Emails from cybercriminals might have a different tone and wording than your known contact (if they haven’t used social engineering to successfully copy their way of speaking). It conveys a feeling of urgency which might escalate to threat in follow-up emails.
- Sender email: the email address will be very close to the known contact, but for a few details (robetr instead of robert, or .org instead of .com for instance). In this case, the scammers have used spoofing, but they could also have hacked into your contact’s system and been using their real email – making it almost impossible to spot.
Those are good red flags that invoice fraud might be happening.
We at Trustpair like to recommend taking an even more cautious approach and treating every request to change credentials as a potential invoice fraud attempt. Our software solution does automatic and real-time checks of your suppliers’ credentials, so you always know you’re paying the right person.
Every request should lead to verifying your third-party information against international sources to assert ownership of the new bank account. We’ll see more ways to protect yourself effectively below.
What types of fraud can use fake invoices?
Fake invoice fraud or wire transfer fraud is closely linked to (and used in) other types of fraud, all falling under the Business Email Compromise (BEC) umbrella term:
- Vendor fraud: a fraudster impersonates a known supplier to receive an invoice payment on their own bank account. It can be done through a fake supplier, or with a real supplier sending fake invoices.
- Phishing: your employee receives an email luring them to click on a fraudulent link redirecting to a fraudulent website, or to download malware attachments. Phishing emails are often too good to be true to convince victims to proceed.
In the process, hackers get access to sensitive data and/or manage to breach your security system to steal funds. Spearphishing is an even more personalized version of this fraud, where the email is tailored to its recipient. Those kinds of cyberattacks are often a first step that contributes to a more elaborate type of fraud – like repetitive invoice fraud. Once they have access to the information they need, creating an invoice scam becomes very easy.
- CEO fraud, also interchanged with impersonation fraud: fraudsters impersonate the CEO or a high-level executive of your company to ask an employee for a (confidential, urgent) payment. The goal is to get the employee to make an unauthorized transfer to a given bank account. They might attach an official-looking invoice to their email to add some weight to their demand.
Learn more about all the types of fraud affecting US companies by downloading our latest fraud report.
How can you fight invoice fraud?
Set up security measures
To effectively protect your business against invoice fraud, you must work towards becoming a cyber-aware company. A company where security is a priority for everyone, employees and management alike.
Here’s how to protect your organization:
- Deliver regular training: educating your employees about what third-party fraud looks like is key. Better than doing one-off sessions, focus on delivering ongoing training to your employees. That’ll keep them up-to-date with the latest scams around, but also help to keep the matter top-of-mind.
- Set up safety measures: your processes must be unbreachable for your company to be secure. Doing a thorough mapping of your risks is essential to mitigate them. For payments specifically, we suggest you use the 4-eye principle as an added layer of protection. Segregation of duties is an essential component to reduce the risk of invoice fraud!
- Be careful about your data: check the data that’s easily accessible about your company – from who manages payroll payments to who has access to your TMS. Personal information or financial information is what criminals need to serve their malicious intent. Vulnerabilities will be exploited, it’s just a matter of when.
Use automation to block invoice fraud
The best way to block invoice fraud is to use anti-fraud software. Software automates processes that are lengthy and error-prone.
Take checking your supplier’s credentials for example. Your employees could try to check each and every one of them before each campaign payment (which is really what they should do). Doing it thoroughly would be tedious and time-consuming.
What’s more, manual checks aren’t failproof. In the most convincing scams, criminals easily deceive even the most suspicious employee with elaborate schemes.
A perpetrator will for instance hack into a supplier’s system to have access to their phone or emails. With 70% of credential change verifications done through phone calls, there is a huge gap between the technology used by identity thieves and their victim-to-be.
Doing manual third-party checks is longer and not as failproof as using anti-fraud software. Trustpair does automatic third-party checks so you can be confident that your payments are sent to your real suppliers. Auditing the credentials is done in real-time, which means you’ll never fall prey to fake invoice scams. Contact an expert!
- Invoice fraud works because most employees don’t know how to spot it. They think they are paying real suppliers, but send money to scammers instead.
- The best way to protect your company against it is to use anti-fraud software like Trustpair, which checks your third-party information in real-time.