Four effective ways to prevent invoice fraud in your business

Paul Kane
insight featured image
A lot of online scams are pretty obvious. Your bank isn’t going to send you emails about your balance expiring soon. And you know the IRD isn’t going to send you a text to transfer your tax rebate.

Unfortunately, the types of scams most likely to affect New Zealand businesses are considerably more sophisticated. Our recent biannual business survey revealed that 41% of survey participants undertake specific planning for fraud risks; that number should be a lot higher in today’s environment when breaches are far more prevalent.

Invoice fraud is becoming increasingly frequent, surprisingly convincing, and it’s already conned some of the world’s smartest people and corporations out of millions of dollars. 

How it works: What you need to look out for

Invoices look like they come from suppliers

There are various types of invoice fraud, but the most common is a fake invoice from a supplier. A scammer can simply create a bogus invoice that looks like one from your supplier, but with a different bank account. They will often use an email address that is just one single letter apart from your supplier’s email address. This is what happened to a woman building a childcare centre in North Taranaki. She thought she had paid $53,000 to a contractor for work done but the money went into a hacker’s bank account, never to be seen again.

Hacked emails mean scammers can be extremely convincing

When scammers hack your supplier’s email account, they start watching for patterns. They get to know your business cycle, know when you’re expecting to receive an invoice, and they know the typical amounts and items on invoices. This method proved effective in scamming our own America’s Cup team out of $2.8 million. Believing the hacker was the supplier, Team New Zealand changed the bank details of the supplier to a Hungarian bank account provided by the hacker. 

Scammers can make it even easier for themselves, simply emailing you from your supplier’s actual email address to tell you that their bank account has changed. The Far North District Council was conned out of $100,000 using this method, after fraudsters hacked a supplier’s email and notified the Council of an account number change. The Council was lucky enough to recover all the money, but that’s often not the case. And replying to the email won’t necessarily help; fraudsters can set up routing so any reply goes to them, not your supplier.

Four ways to prevent invoice fraud

Here are four tips to prevent invoice fraud.

1. Verify supplier information

Establish a process for verifying new vendor details, ring them and speak to a contact there. Check the account number and tell them to call you if they plan to change it. Always double check changes in details and not by email, again, be sure to call them.

2. Implement a two-factor authentication process

Require multiple levels of approval for significant financial transactions, especially for changes to vendor details or payment instructions. By implementing a two-factor authentication process, you can ensure that payments are authorised by multiple individuals who have verified the transaction's legitimacy.

3. Train employees about fraud awareness

All fraud has a human element. Train your employees to recognise common red flags. Provide training on how to identify suspicious invoices or requests for payment, such as unusual email addresses, grammatical errors, or unexpected changes in payment instructions.

4. Strengthen cybersecurity measures

Implement robust antivirus and anti-malware software to prevent phishing attacks and malware infections. Regularly update and patch your software systems to address any vulnerabilities. Enforce strong password policies and encourage employees to use unique, complex passwords for their accounts. Use secure file-sharing methods and encrypt sensitive information when transmitting it via email or other channels.