article banner
Invoice fraud

Invoice fraud: How it works and five ways to prevent it

rich text with image

A lot of online scams are pretty obvious. You know you don’t have $154,000.12 in Bitcoin waiting to be claimed. You’re not going to correspond with any Nigerian princes. And you know your bank isn’t sending you emails titled ‘Alert: You’re Balance will soon EXPIRE!!!!!’.

Unfortunately, the types of scams most likely to affect New Zealand businesses are considerably more sophisticated. Invoice fraud is increasingly prevalent, surprisingly convincing, and it’s already conned some of the world’s smartest people and corporations out of millions of dollars.

How it works: What clients need to look out for

Invoices look like they come from suppliers
There are various types of invoice fraud, but the most common is a fake invoice from a supplier. A scammer can simply create a bogus invoice that looks like one from your supplier, but with a different bank account. They will often use an email address that is just one single letter apart from your supplier’s email address. This is what happened to experienced US entrepreneur Barbara Corcoran, star of Shark Tank. She sent US$388,000 to a fraudster’s bank account in Asia, after being tricked into thinking the invoice was being forward by her assistant. The invoice was sent using an email that was almost identical to the assistant’s email, only missing a letter O. That money was never recovered.

This fraud can be particularly effective if your business is still processing payments manually based on each invoice.

Hacked emails mean scammers can be extremely convincing
Even harder to detect? When scammers hack your supplier’s email account and start watching for patterns. They get to know your business cycle, know when you’re expecting to receive an invoice, and they know the typical amounts and items on invoices. This method proved effective in scamming our own America’s Cup team out of $2.8 million. Following some carefully timed emails for the correct amounts, two payments went to a Hungarian bank account instead of to the team’s European TV broadcast partner. Only a small amount of the money has been recovered and there is now an ongoing dispute about who is responsible for the mistake.

Scammers can make it even easier for themselves, simply emailing you from your supplier’s actual email address to tell you that their bank account has changed. The Far North District Council was conned out of $100,000 using this method, after fraudsters hacked a supplier’s email and notified the Council of an account number change. The Council was lucky enough to recover all the money, but that’s often not the case. And replying to the email won’t necessarily help; fraudsters can set up routing so any reply goes to them, not your supplier.

New clients and high-value one-off transactions most vulnerable
Scammers can also intercept a supplier’s email, altering a PDF invoice to change the bank account number for payment. The advantage of this method is that it raises no alarm bells for you or the supplier. This method won’t always work, particularly if you just pay automatically to the usual supplier account, but it’s especially effective with new suppliers – and of course scammers are on the look-out for those.

Invoice fraud is most effective when you’re paying someone for the first time, which is why scammers have great success with businesses doing high-value occasional transactions. Some examples include law firms which often do one-off property transactions, and construction companies, whose clients have short life cycles. Manufacturing also falls into this category, with its large occasional orders. However, cybercriminals will target any type of business at all, of any size. For them, this a low-risk, low-cost business that pays massive dividends.


Five ways to prevent invoice fraud

Here are five tips to prevent invoice fraud:

1. Call new suppliers to confirm their account numbers

When you receive an invoice from a new supplier, ring them and speak to your contact there. Check the account number and tell them to call you if they plan to change it.

2. Set up two-step authentication on your email

If your email account is hacked, it could be you whose name is being used to scam your clients. Don’t make life easy for fraudsters; set up two-factor authentication for access.

3. Use an e-invoicing option

Emailing a PDF is a point of high vulnerability. An e-invoicing option sends emails directly from your accounting software to your supplier’s own accounting software. There is also a new e-invoicing network, supported by the New Zealand and Australian governments, which looks like a fantastic option.

4. Double-check if an account number changes ​​​​​​

When a supplier emails you about a new bank account number, or their invoice has a new account number, use a second method of communication to confirm this is genuine – don’t email back, make sure you call or text them.

5. Have bank accounts preloaded for payments

For larger businesses, this might mean a database that integrates with your bank account, so invoices are paid to established and trusted accounts. For smaller enterprises, this means loading supplier details into your banking app so you’re not entering them by hand, from the invoice, each time.

What can you do if you inadvertently become in an invoice scam?

If you discover your business email has been hacked and fake invoices have gone to clients, call your IT provider and all your customers, as fast as you can.

If you have accidentally sent money to a scammer’s bank account, call your bank immediately. It’s hard to stop local transactions, but if you’re quick enough you may be able to intercept international ones.

Unfortunately, if your payment has already gone to the wrong account, it’s very hard to get that money back. Speak to your insurer about whether you are covered for this, what is covered, and how much it might cost to make sure you’re covered comprehensively. Your right of pursuit is not always strong, and your insurance may not pay out if it feels that you were at fault. Establishing fault can be complex, just like in the America’s Cup case, with the potential to leave you out of pocket even if you’re not to blame.

Want to know more? Do get in touch if you’d like to find out about how invoice fraud could impact your business, or how to prevent it.