What is it?
Invoice fraud involves a fraudster notifying your company that supplier payment details have changed and providing alternative details in order to defraud you.
The fraudster could be claiming to be from your company’s genuine supplier, or even be posing as a member of your own firm. Funds are often quickly transferred so recovering money from fraudulent accounts can be extremely difficult.
How does it happen?
Invoice fraudsters are often aware of the relationships between companies and their suppliers, and will know the details of when regular payments are due. The fraud may only be discovered when the legitimate supplier follows up on non-payments.
Fraudulent letters and emails sent to companies are often well-written, meaning the fraud is difficult to spot without strong operating processes and controls in place. Email addresses are also easy to spoof, or in the case of malware-infected PCs, criminals can access genuine email addresses.
The process of changing the bank details of someone you are paying should always be treated with extreme caution.
Be more like Derek – an office legend
Derek has become an office legend simply by spotting scams and, in turn, saving his company big money. Want to know how he does it? See Derek thwart a fraudster’s attempt at invoice fraud,
How you can help to prevent invoice fraud – a checklist
- Always verify details of any new/amended payment instructions verbally by using details held on file, and not on the instruction. Fraudsters can spoof email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
- If you are suspicious about a request made by phone, ask the caller if you can call them back on a trusted number. Fraudsters will attempt to pressure you into making mistakes – take the pressure off by taking control of the situation.
- Consider removing information such as testimonials from your own or your suppliers’ websites or social media channels that could lead fraudsters to knowing who your suppliers are.
- Look carefully at every invoice and compare it to previous invoices received that you know to be genuine – particularly the bank account details, wording used and the company logo.
- Consider setting up single points of contact with the companies you pay regularly
- Apply the same principles to requests from within your own organisation
- Electronic payments in the UK are made based on sort code and account number only, and any account name given is not routinely checked, therefore independent verification is important.
- Regularly conduct audits on your accounts
- Make all staff aware of this type of fraud, particularly those that are responsible for making payments.
See Derek defeat a fraudster impersonating his CEO below.
A case study:
A client received an email containing an invoice for the amount of £103k, which the client was expecting to pay. The payment wasn’t due until the following month therefore they didn’t act upon this invoice. They then received a second email following on from the original email trail with a new invoice attached advising that they were having issues with their bank account and provided new account details to pay.
The client then submitted a payment for the amount requested to pay an account held with another bank.
The client was made aware of the fraud when they were contacted by their genuine supplier who claimed that they hadn’t received the funds. The supplier confirmed that the bank details on the second invoice were not theirs.
The client's IT Team investigated to see where the email interception happened, however, the money transferred had already been moved on by the fraudsters by the time the alarm was raised.
What to do if you suspect you’ve received a suspicious invoice
If you have paid the invoice, contact us immediately. Our team will try to recover the money from the fraudster’s bank account. The quicker you alert your bank, the greater the chance of recovering the funds.
Report it to ActionFraud – the police’s national fraud and cyber-crime reporting centre. Even if you’ve not suffered any financial loss, this will allow the police to analyse trends and help them to prevent fraudsters exploiting other companies. You can file a report via their website at www.actionfraud.police.uk^
If you receive a suspicious email that appears to be from Barclays, please forward it to firstname.lastname@example.org and then delete it from your email account immediately.
If you have any queries, please speak to your Relationship Director.
If you fall victim to fraud on your Barclays payment channels, call the Online Fraud Helpdesk immediately on:
0330 156 0155*
Fraudulent attacks, even if unsuccessful, should be reported to Action Fraud by calling 0300 123 2040.