When Lee,* an Accounts Payable Officer, saw an email from one of her suppliers saying they’d changed their bank details, she didn’t think twice. After all, the invoice looked normal, and the email sounded completely legitimate. What could possibly go wrong?!?
A lot, apparently.
When most of us think of email scams, we think of badly spelt, too-good-to-be-true requests coming from dodgy email accounts. But the reality is that email scams are now becoming so sophisticated and convincing that they’re impossible to distinguish from the real thing. Lee was far from alone in being fooled: Australians now lose over $AUD 340 million per year to scammers.
So how exactly did scammers manage to impersonate Lee’s supplier? The scam that she fell victim to was called invoice redirection fraud and it’s fast growing in prevalence. Here’s what it’s all about and how you can avoid it happening to you:
Invoice redirection fraud: how it works
Invoice redirection fraud is as simple as it is dangerous. A scammer will pose as a legitimate supplier and then request payment to a bank account they control. In order to make the invoice look legitimate, the scammer may have hacked your or your supplier’s computer systems. The invoice may even come from a supplier’s email address (if that’s been hacked) or more likely from some subtle variation of it. Often, you won’t know there’s a problem until your supplier starts chasing you for the payment they haven’t received.
Businesses need to be extra vigilant to avoid:
- Accidentally paying a fraudulent invoice, or
- Being impersonated to their clients/customers and having their clients paying the fraudster instead of them.
How to avoid paying a fraudulent invoice
The good news is there is definitive steps your business can take to minimise risks.
We recommend that you:
- Store supplier banking details in your accounting software or bank (as opposed to entering them from invoices at the time of payment)
- Limit the number of people with permission to change supplier bank details
- Verify change requests by phone using pre-existing contact details (ideally with an individual you know)
- (For larger organisations) Make sure you have approval processes in place to change bank details.
In addition to these processes, make sure your accounts team is trained to pick up the following invoice irregularities:
- Slightly changed email addresses
- Altered invoices, especially those with graphics of inferior quality
- Different or mismatched fonts in the body of the email and invoice
- Unusual or lower quality English in emails or on invoices.
How to avoid being impersonated
While paying a fraudulent invoice can cost you money, it’s just as important to avoid a customer or client paying a falsified invoice purportedly from your business. That client may never recover their money, and you may have difficulty getting your actual invoice paid in future. Here’s how to avoid a scammer impersonating you:
- Secure your email, accounting and any other systems with invoice or client details behind two factor authentication
- Communicate with clients/customers ahead of time to establish a verification process if details do need to change
- Regularly remind clients of your invoice processes
- Ask that your client alert you if they ever receive a change request
- Educate your clients about the possibility of invoice redirection fraud (using this article as a start!).
Invoice redirection fraud is, unfortunately, one of the many more sophisticated types of scams that affect small to medium businesses. However, with careful planning, it is possible to prevent it from happening to you.
Slate Accounts takes precautions to ensure that all of our clients are protected from invoice redirection fraud and other related scams. If you’d like to learn more about Slate and our services, please get in touch.
*Name has been changed to protect Lee’s privacy.