UK businesses are coming under attack from by a wave of fake invoicing scams with smaller and medium businesses a favoured target, according to Action Fraud and fraud prevention service Cifas. Figures for the first half of 2015 show that 715 UK businesses, overwhelmingly SMEs, reported falling prey to this type of scam, which puts the country on course for a record haul of cases. As with any reporting system, the true number must be several times that figure.
To emphasise the seriousness of this type of fraud, two businesses that complained of invoice fraud were said to have lost sums around the £1 ($1.5 million) million figure each. Further afield, there are occasional spectacular examples such as the extraordinary $46.5 million Ubiquiti Networks admitted it had handed over to criminals from its Hong Kong subsidiary as part of a sophisticated business email compromise (see below).
The warning lights are now flashing red - across the developed world, this is now one of the biggest categories of digital fraud with the FBI and Australian authorities putting out regular alerts of their own. An underlying issue is that while the fraudsters often exploit weaknesses in technology to attack businesses the biggest flaws are always human and result from a lack of awareness, training, poor systems, policies and checking. People make assumptions about identity and legitimacy and take too many short cuts.
But why have these scams become so successful? And what if anything can businesses do to protect themselves?
Spotting fake invoice scams : Malware and beyond
It’s important not to confuse fake invoice fraud with the common ‘unpaid invoice’ emails that turn up in everyone’s inbox from time to time. Those are usually a mechanism to persuade recipients to open attachments as a way of spreading malware. The invoice topic is simply a lure.
That said, a growing number of scammers do employ a slightly more directed version of this approach intended to find low-level admin people who will take an invoice demand, however implausible, at face value. There are numerous anecdotes of this approach working for smaller sums of money. Malware has also been used to carry out reconnaissance on target organisations.
Spotting fake invoice scams : Accounting systems
The simplest form of fake invoice scam is a well-crafted and targeted demand for money, usually a small sum for office supplies or some other routine service that was never undertaken but sounds plausible. If the invoice is sent to someone in the accounting office, the crooks know it won’t often be discarded out of hand. These job roles receive numerous invoices in any day and will treat them as being equally valid unless something suggests otherwise. Fraudsters might also make phone calls to add to the authenticity, citing a genuine name or department as having consumed the imaginary services.
The first defence, then, is a company’s accounting systems. The simplest system is to match an invoice number to a purchase order, preferably with a shipping or confirmation order. These systems are used by any serious company, usually to detect internal fraud. If there is no matching, the invoice can’t be paid without further verification.
Unfortunately, fake invoice scams have long since become cleverer than that.