A woman listens while jotting down notes. Our checklist helps to protect you from invoice fraud.

Invoice Fraud: How to protect your organisation from fraudsters

What is invoice fraud?

Invoice fraud involves a fraudster notifying your company that supplier payment details have changed and providing alternative details in order to defraud you.

The fraudster could be claiming to be from your company’s genuine supplier, or even be posing as a member of your own firm. Funds are often quickly transferred so recovering money from fraudulent accounts can be extremely difficult.

How does invoice fraud happen?

Invoice fraudsters are often aware of the relationships between companies and their suppliers, and will know the details of when regular payments are due. The fraud may only be discovered when the legitimate supplier follows up on non-payments.

Fraudulent letters and emails sent to companies are often well-written, meaning the fraud is difficult to spot without strong operating processes and controls in place. Email addresses are also easy to spoof, or in the case of malware-infected PCs, criminals can access genuine email addresses.

The process of changing the bank details of someone you are paying should always be treated with extreme caution.

Be more like Will – an office legend

Will has become an office legend simply by spotting scams and, in turn, saving his company big money. Want to know how he does it? See Will thwart a fraudster’s attempt at invoice fraud.

Good afternoon, Forest Firm, Will speaking.

Hi Will, this is Sharon from Leaf Supplies here, how are you today?

I’m alright thanks. How can I help?

Oh I’m just following up on the invoice we sent over this morning for the last shipment. I wanted to check that you got it okay because we’ve updated some of our details.

Oh right, let me just check my emails… Yeah, I’ve got it here, alright.

So, you can see that we’ve changed our main business bank account there, you should have a new account number on the invoice ending in 1234?

Yep, I see that.

Perfect, that’s great. It’s been a bit of a pain to change it, we’ve had some teething problems. I wonder if you would mind settling up the invoice just now so I can check that it comes through on this side? Tessa’s off today and she asked me to sort it before she got back, so if we don’t get it done, I’ll be in a bit of trouble.

Oh, I hope she’s not poorly? I usually deal directly with her though.

Yeah, I know, she’s not very well. It’s nothing serious, but I’ve stepped in. I don’t want to hold things up and give her a mountain to catch up on when she’s back.

Yeah of course, but as I normally deal with Tessa, I’d prefer to deal with her directly, I’m sure you understand.

Of course, of course, but there’s no telling how long she’ll be off for.

Oh okay. Alright well, as you know, I have two points of contact at Leaf for verification purposes. So I’ll hang up now and I’ll call my second contact directly.

Okay, but….

How you can help to prevent invoice fraud – a checklist

  • Always check the details of any new/amended payment instructions verbally by using details held on file, and do not solely rely on the new instruction. Fraudsters can imitate email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
  • If you are suspicious about a request made by phone, call them back on a trusted number. Fraudsters will attempt to pressure you into making mistakes – take the pressure off by taking control of the situation.
  • Consider removing information such as testimonials from your own or your suppliers’ websites or social media channels, as these can help fraudsters identify your suppliers.
  • Look carefully at every invoice and compare it to previous ones received that you know to be genuine – particularly the bank account details, wording used and the company logo. When making a payment, ensure your invoices quote the full legal or ‘trading as’ name.
  • Consider setting up single points of contact with the companies you pay regularly.
  • Apply the same principles to requests from within your own organisation.
  • Always pay attention to Confirmation of Payee (CoP) alerts. CoP is an industry initiative designed to target Authorised Push Payment (APP) fraud in the UK, particularly impersonation fraud, invoice redirection and new payment fraud. The service enables you to check the name of an account against the sort code and account number and confirm whether or not the account details and account name match.
  • Regularly conduct audits on your accounts.
  • Fraudsters will look for opportunities to exploit any vulnerabilities in your processes. Therefore it is crucial to ensure staff are regularly educated, particularly those that are responsible for making payments.
  • While working remotely, ensure you and your colleagues remain vigilant and adhere to relevant checks and processes.

An invoice fraud case study

A client received an email containing an invoice for the amount of £103k, which the client was expecting to pay. The payment wasn’t due until the following month therefore they didn’t act upon this invoice. They then received a second email following on from the original email trail with a new invoice attached advising that they were having issues with their bank account and provided new account details to pay.

The client then submitted a payment for the amount requested to pay an account held with another bank.

The client was made aware of the fraud when they were contacted by their genuine supplier who claimed that they hadn’t received the funds. The supplier confirmed that the bank details on the second invoice were not theirs.

The client's IT Team investigated to see where the email interception happened, however, the money transferred had already been moved on by the fraudsters by the time the alarm was raised.

What to do if you suspect you’ve received a suspicious invoice

If you have paid the invoice, contact us immediately. Our team will try to recover the money from the fraudster’s bank account. The quicker you alert your bank, the greater the chance of recovering the funds.

Report it to ActionFraud – the police’s national fraud and cyber-crime reporting centre. Even if you’ve not suffered any financial loss, this will allow the police to analyse trends and help them to prevent fraudsters exploiting other companies. You can file a report via their website at www.actionfraud.police.uk^

If you receive a suspicious email that appears to be from Barclays, please forward it to internetsecurity@barclays.co.uk and then delete it from your email account immediately.

If you have any queries, please speak to your Relationship Director.

If you fall victim to fraud on your Barclays payment channels, call the Online Fraud Helpdesk immediately on:

0330 156 0155*

Fraudulent attacks, even if unsuccessful, should be reported to Action Fraud by calling 0300 123 2040.

Where to next

Fraud Protection

Fraud Protection

Head back to our dedicated hub for the latest fraud trends and useful resources to help protect your business from cyber criminals.

Confirmation of Payee – what you need to know

Find out everything you need to know about the benefits of Confirmation of Payee and how it can help prevent fraud.

Latest insights