Chances are you think that CEO or invoice fraud are something that won’t happen to your organization. More than four in ten businesses in the UK are unaware of the risks posed by invoice fraud, according to a survey by banking trade body UK Finance. And if you are aware of the dangers, you might have already become a victim. In this article we will explain what these types of fraud actually entail, what you can do when it has happened to you and what you can do to avoid it from happening again.
Jump right to:
– Invoice fraud versus CEO fraud
– How big is this problem?
– How tricksters do it
– You have been scammed: what now?
– What can your organization do?
– How technology can help prevent invoice fraud
– Klippa’s solution
– Let’s get in touch
Invoice fraud versus CEO fraud
When scammers trick firms into transferring money by posing as legitimate payees, it can be called invoice or ceo fraud, but also ‘spoofing’ or ‘business email compromise’. It is when fraudsters pose as vendors or business partners and convince companies to wire large sums of money to an offshore account as payment for services that were never rendered.
Invoice fraud and ceo fraud are two different things that for a great part overlap, which is why we will discuss both in this article. When you break it down, the difference is actually quite apparent. CEO fraud is when criminals pose as the CEO of a company, or sometimes another board role, to trick company employees into sending money to criminals for undelivered services. When a fraudulent invoice is used to trick a company into paying money to criminals, it is called invoice fraud. When a criminal impersonates the CEO and uses a fraudulent invoice in the process, it is both. Both types are becoming more and more common, since more and more actual business is happening online.
How big is this problem?
These types of scam costed UK firms almost £93m in 2018, the UK Finance study says. In 2019, Google and Facebook got tricked out of $123 million. In June this year an Irish company transferred over $74,000 into a fraudulent account based in China.
According to the FBI, the amount of money that scammers attempted to steal through business e-mail compromise grew 136% between December 2016 and May 2018. Globally, e-mail scammers targeted more than $12 billion between October of 2013 and May of 2018.
So don’t be embarrassed if it has happened to you. These people are cunning and they know exactly how to trick businesses out of their money. Some even learn how to do it on the dark web, a dirty corner of the Internet where criminals can communicate anonymously. They teach eachother how to commit fraud and what tools to use, for instance.
How tricksters do it
They first research their target, then they spoof an email address of the victim’s CEO or executive and they use their research to craft a targeted message with a definite sense of urgency. The victim receives what appears to be an email from their executive or CEO, clicks on the link to review it and shares their private information with the phishing site. The scammers then break into the victim’s network. Of course, there are numerous ways of going about this, but this order of events pretty much sums it up.
In case of invoice fraud, you often see invoices from existing suppliers that have been intercepted and altered by changing the bank account details. Therefore the invoice seems to be authentic on first glance. The products have actually been purchased and the supplier is trusted, but if payment is made, the money goes to the scammers. There are also cases when criminals email or call into finance departments to alter the bank account details of a supplier they supposedly work for, to try and receive future payments to this supplier. So any unexpected and unverified bank detail change is a major red flag. Never trust a single email or phone call without using a second verification method.
In Google and Facebook’s cases, a Lithuanian scammer spent two years posing as a third party who conducted business with them. The tech giants’ money traveled the world to be laundered before ending up in the criminal’s hands. The funds were wired to his bank accounts in Latvia and Cyprus and then divided up into different bank accounts in various locations throughout the world. He forged invoices, contracts, and letters that appeared to have been executed and signed by executives of Google and Facebook and which bore false corporate stamps with their names. Google lost around $23 million in the scam, while Facebook was out $100 million.
You have been scammed: what now?
Unfortunately, getting your money back has proven to be quite difficult. Representatives for Google and Facebook both said their respective companies recovered the stolen funds, but that’s very rare. Most insurance companies will simply point their finger to you as the sole responsible one, since you are the one who has been scammed.
If you have been tricked by a fake supplier, there is no use asking the real supplier for your money back either, because they are not the ones who scammed you. Best chances lie with your bank, to see whether you are somehow protected or if they can recover the money, but also banks will be reluctant to cover damages in most cases. Save all messages and other evidence associated with the incident.
In any case, speed is of the essence. The longer it takes to discover the fraud, the slimmer the chance is that any money can be located. Scammers usually try to move the money all over the world as fast as possible.
The next step is to prevent this type of crime from ever happening again.
What can your organization do?
1. Inform your employees of how this type of fraud works and how they should handle invoices. They should be especially alert when the terms of payment suddenly change or a vendor asks for funds to be sent to a different bank account than usual.
2. Implement a two party (“four eyes check”) sign-off for all payment transfers, rather than having one person responsible.
3. Talk to your bank or accounting software provider about creating special protocols, like voice or two-factor verification, into the wire transfer process.
How technology can help prevent invoice fraud
It’s wise to consider combining all of these useful tips by using an invoice processing solution. Automating any manual task or process will eliminate human errors all together. When we’re talking about errors that cost up to millions of dollars, it’s quite important to see whether they could be avoided.
Statistics reveal that many scams could be easily circumvented – only a quarter of employees processing an invoice double-checked with a colleague before making a payment. Meanwhile, a similar percentage said they were scammed because they trusted the email address it was sent from.
It’s very natural that people make mistakes, online criminals are getting more and more sophisticated. Especially now when COVID-19 is causing many organizations financial distress, employees feel the pressure to act quickly.
In addition, most people have been working from home, sometimes (partly) outside the protected IT infrastructure of the employer. IT is as secure as its weakest link, and if your WiFi password is hello123, there is a good chance that you are that link. This means easy access for hackers looking for their next prey.
The battle against online criminals should be faced online: by using reliable software that contains business rules that will help you secure your invoicing process. Klippa’s invoicing software has various features that will help put an end to invoice fraud. It:
1. Does 3-way matching: if you can match each invoice to a PO number and receipt of goods for instance, then you’re much less likely to pay a fraudulent invoice. Fabricating three separate documents is too much work for most fraudsters.
2. Checks suppliers’ financial information: Fraudulent invoices are usually either issued under fake company names or they use a legitimate name but a fake address or bank account number. Our software automatically checks the legitimacy of a certain supplier by matching the CoC number, bank account number and VAT number to the archives of the Chamber of Commerce. If any of this information changes, the users are notified to verify.
3. Checks the supplier’s address on Google Maps. If the address is residential or a post-office box, there is a big chance the invoice is fraudulent.
4. Does the interval make sense: are you expecting an invoice from this company? Is this a normal time to receive it?
5. Automatically notices duplicate invoices and sends a notification to the relevant employees when this happens. It is quite hard for the human eye to recognize duplicates, especially when looking at many invoices each day. It takes a computer a second to recognize them and alert the user.
Of course, it’s not all up to software to keep your company safe from attacks. Update your employees of the risks and make sure they double check any invoice requesting a significant amount of money. Or even smaller amounts that happen on a regular basis. Make sure your employees always use two channels to verify a strange request. So if you receive a request via mail, use a phone to verify the message with the supposed sender. This reduces the chances of fraud drastically. Always have four eyes looking at any incoming invoice: this reduces the chance of letting fraudulent invoices slip by. When suppliers change bank account numbers, always contact them directly to see whether the change is legitimate. To verify, don’t use the phone number listed on the invoice, but use an official phone number from a trusted contact person within the organization.
Let’s get in touch
If you would like to learn more about how Klippa’s accounts payable software can help protect your company and improve your accounts payable process, please get in touch. You can reach us via [email protected] Alternatively you can plan a 30 minute demo during which we explain how our software works and how it will benefit your organization.