How to defend against invoice fraud

John Cradden outlines ways businesses can defend against invoice fraud.

It’s been described as “one of the biggest fraud threats” facing Irish businesses in recent years, but the potentially catastrophic effects of invoice fraud can be prevented by a few simple measures.

According to Gardai, invoice fraud, which involves fraudsters posing as legitimate suppliers contacting companies to seek monies owed, cost Irish businesses some €10.5m in 2020.

Sometimes termed invoice redirect fraud or business email compromise (BEC) fraud, the most common way it happens is when fraudsters send an email to a business purporting to be from a genuine supplier notifying you that its bank payment details have changed and providing alternative details in order to defraud you.

By using malware or spoofing an email address and sending phishing emails to obtain data, invoice fraudsters can learn of the relationships between companies and their suppliers, and will know the details of when regular payments are due. Data can also be stolen through large data breaches.

Sometimes the invoices may be genuine but the emails have been intercepted, and the criminals are trying to convince you to send the money to the wrong account.

Funds are often quickly transferred, so recovering money from fraudulent accounts can be very difficult. In one case, a professional firm in Ireland processed a payment of more than €600,000 for the purchase of a product, and the funds left the firm’s bank account before they were redirected using a false email request and were transferred into ‘money mule’ accounts in Ireland, the EU and Hong Kong.

The Banking and Payments Federation of Ireland said that many businesses were aware of invoice fraud, but that there was complacency around putting proper guidelines and procedures in place to combat it.

“Protecting your business from invoice fraud doesn’t have to be a costly task; in fact, a few low-cost measures can help prevent it from happening,” said Niamh Davenport, the organisation’s head of fraud prevention.

Low-cost measures can you implement in your business

1. Put fraud prevention processes in place and keep staff regularly training in fraud prevention and good email practices.
2. Ensure IT and data security is up to date, and seek independent advice if you don’t have the skills in-house.
3. Implement a procedure to independently verify payment requests from suppliers. This could include looking at using banking security systems such as one time pass codes or two-step verification.
4. Ensure staff are aware of this type of fraud and how to avoid it. Fraudsters will look for opportunities to exploit any vulnerabilities in your processes. Therefore it is crucial to ensure staff are regularly educated, particularly those who are responsible for making payments.
5. Review what information you publish about your suppliers online. Any information you release into the public domain could possibly make you an easier target for fraudsters. Consider, for example, removing information such as testimonials from your own or your suppliers’ websites or social media channels, as these can help fraudsters identify your suppliers.
6. While working remotely, ensure you and your employees remain vigilant and adhere to relevant checks and processes.

Steps that employees can take:

1. Verify bank payment detail changes verbally. Always check the details of any new/amended payment instructions by picking up the phone and using contact details held on file rather than what’s contained in the new instruction. Fraudsters can imitate email addresses to make them appear to be from a genuine contact, including someone from your own organisation.
2. Don’t be pressured into making a payment without first verifying. Fraudsters often try to create a sense of urgency, such as threatening to deliver late or impose a late payment fee.
3. Consider setting up single points of contact. This can add a layer of assurance in that you are always checking with the same person in your supplier to verify any details, as opposed to someone you don’t know – and could be a fraudster.
4. Report any suspicious activity to Gardai and your bank. If a crime has occurred they should ask their bank immediately to do a recall on the money before reporting the matter to gardaí.
5. Send a payment confirmation. Consider setting up a system whereby when an invoice is paid you also send an email to the recipient informing them that payment has been made and to a specified bank account. Be mindful of account security and consider including the beneficiary bank name and the last four digits of the account to ensure security.
6. Carefully inspect all invoices received. Take note of any ‘red flags’, such as misspellings, a new signatory or bank account details included when they weren’t before. Compare it to previous ones received that you know to be genuine. When making a payment, ensure your invoices quote the full legal or ‘trading as’ name.

For more information, visit Fraudsmart.ie.