Many businesses are losing thousands of pounds due to invoice fraud, running in to billions each year. The problem is widespread and likely to be under-reported. Here's what you need to know and do to keep your business safe.
What is invoice fraud?
Commonly, invoice fraud is a request for payment by means of a false bill that you receive via email. This email is often sent to someone in a position of authority, and can look authentic.
As a result, a payment may be made before the fraudulent nature of the request is spotted.
You may have received one of these emails yourself and recognised it as bogus, but if the email is received by an employee whose role is simply to authorise or process payments it may not be so obvious to them that something is wrong.
Other types of invoice scams include viruses posing as bills and requests to change banking details, leaving your genuine supplier unpaid.
How great a problem is it?
Security experts are reporting that around 40% of businesses have been affected, and that the payment averages around £1,658 per case.
Of course, these counts reflect only those organisations that have reported the fraud. It’s likely that many companies have not done so – some may view it as a lesson-learnt, or as an embarrassment.
Why invoice fraud works
A number of tactics are used to dupe us into opening and processing fake invoices. They’re cleverly designed to get around our vigilance by removing the cues we recognise in spam. Unfortunately, once we’re off-our-guard, we’re more prone to error.
Firstly, the invoices and emails are written in good English, and in some instances they use regional words to give the impression that they’re written by a real person, not too far away.
The emails are targeted, and are often directed to people in senior roles or within the finance team. “From” is set with the name of a real person: even a colleague. Names and roles are available on the Internet.
The invoices may be convincingly branded and it can take close scrutiny to see that they’re fake. The organisation will be real, perhaps a local business or an authority – or a supplier you’ve recently had dealings with.
Find out more about the varying tactics used by fraudsters as reported in the articles below:
- Fraudsters steal £9bn from Britain’s small businesses
- UK small businesses losing £9bn a year to fraud
- Account switch scam nets 5,000 victims
What can be done?
Awareness and vigilance
With invoice fraud your employees form the weakest link. Make sure they don’t take official-looking emails on face value, and that they perform checks i.e. call the supplier on their usual telephone number NOT the one given within the suspicious email.
Up to date Anti-Virus and Firewall
You should ensure your Anti-Virus and Firewall solutions are up-to-date, and if you’re running older versions of software (such as versions of Microsoft Office pre-2010 and especially Windows XP) to consider upgrading.
Unsupported software is no longer updated, so it’s especially prone and vulnerable to attack.
Don’t enable macros
Don’t enable macros for any untrusted documents you open. Doing so will almost certainly install a virus or dangerous malicious software known as “malware”, that can seriously affect your computer and in worst cases, your entire network. This could allow the sender to access your stored data, which can be used in an attempt to steal further money from you.
Finally, if you have been or think you may have received a fraudulent invoice – report it. Contact Action Fraud, the UK’s national fraud and cyber crime reporting centre.
Other types of malicious email
Unfortunately, invoice fraud is one of several nasty email attacks designed to cause you problems and financial loss. Other types of malicious emails include spam and phishing tactics.
Find out more about staying safe from spam and phishing emails in our previous blog article below:Staying safe from spam and phishing emails
Need help or more information?
Air-IT can help secure your systems and data with years of experience, and close relationships with key security and threat-management vendors such as Sophos, Dell Sonicwall, Exclaimer and Cisco.