As the COVID-19 pandemic continues, businesses are at an increased risk of being targeted by fraudsters with many businesses having moved online and with employees, including accounts personnel working from home. Invoice fraud, in particular, is on the rise and while not a new scam, it can be catastrophic for businesses who fall victim. In August last year one Dublin business alone lost €1.2m due to this type of fraud. FraudSMART and SFA look at how this scam works and how businesses can protect themselves from falling victim.
So how does Invoice fraud work?
Using a spoofed email address, the fraudster emails you pretending to be one of your suppliers. The email will mirror an email that you regularly receive from your supplier, including logos and signoffs. The email informs you that the supplier has a new bank account and that all future payments should go to the new account. When you receive the next legitimate invoice from the real supplier you make a payment to the new bank account. Generally, it is only later when the real supplier sends you a reminder to pay the invoice that you realise what has happened. Even by doing a recall on the payment through your bank there is no guarantee that the funds can be returned. Fraudsters are quick and will move money as soon as they receive it.
Organisations of all sizes are open to fraudulent attacks, but SMEs can be a particular target as their security systems may not be as robust as those of larger organisations and with new systems and processes being implemented quickly during the pandemic there may be gaps in the chain that fraudsters will use. Keeping security systems and devices protected with official and reliable software and backups can assist greatly in keeping fraudsters out of your business. It is also important to be aware that you may be at risk of fraud indirectly if a fraudster compromises a supplier’s system and sends you fraudulent emails from their accounts to defraud you, this is where procedures and processes and keeping staff informed of scams pays dividends.
How can I protect by business from Invoice Fraud?
- Ensure employees are fraud aware and understand the controls and procedures in place to prevent fraud.
- Have a verification process in place before changing saved bank account details of your suppliers or service providers e.g., verbally verify bank account change requests from suppliers with an agreed point of contact. Do not use contact details from the email requesting the change as this could be false.
- Provide cyber security training for staff to include directions such as not clicking on links in emails or ensuring systems are password protected.
- Don’t assume you can trust caller ID. Phone numbers can be spoofed so it looks like a company is calling even if is not the real company.
- Fraudsters can change an email address to make it look like it comes from somebody you email regularly. Look out for different contact numbers and/or a slight change in the email address e.g., ‘.com’ instead of ‘.ie,’ as these may differ from previous correspondence.
- Fraudsters may already have basic information about you or your business in their possession (e.g., name, address, account details), do not assume the caller is genuine because they have these details.
- Be wary of payment requests that are unexpected, irregular or require changes to bank account details, whatever the amount involved.
- Ensure security and software is regularly updated and maintained using official and reliable software and that your system is regularly backed up.
- Always exercise caution when forming new relationships with potential customers, undertake appropriate due diligence.
- Don’t allow yourself to be rushed. Take your time and do the relevant checks.
Remember, implementing processes to prevent fraud does not have to be a costly task, in fact low-cost measures can prevent most frauds from taking place. Simple procedures such as verifying new payment details verbally can prevent fraud from happening in the first instance. If you fall victim to a scam or have noticed unusual activity on your account, contact your bank immediately. The sooner the bank can investigate potential losses, hold funds in accounts and place recalls on transfers made in error the better. You should also report the incident to your local Garda station.
For further information visit FraudSMART where you can download the booklet on how to protect your business from invoice fraud and other scams.