Introduction

Fraudsters never miss a trick when it comes to separating honest, hardworking, people and businesses, from their money!

How would you feel if you received an invoice, and paid it, only to realise later that you didn’t owe the payee any money?
How would you feel if someone took a cheque from your cheque book and wrote it out to themselves, and cashed it, without your knowledge?
How would you feel if you discovered that you’d been paying for something that you didn’t owe money for?
How would you feel if you found out that you thought you were paying for something, but your money had been going to the wrong person?
How would you feel if you discovered that a direct debit had been set up on your bank account without your knowledge, and had been paying money to an account that you don’t recognise or can’t get any information on, for over a year?
How would you feel if someone used details that they obtained about you, to transfer money away from your bank account?

Top tip: Caller claiming to be from your bank? NEVER give anyone, even if you are convinced it’s a genuine caller, any information over the phone. MAKE IS A POLICY! Hang up and call your bank directly on the normal customer services numbers you use from a DIFFERENT phone than the one you just took the call on. So, if you are called on your landline, call the bank using your mobile. This is because fraudsters can hide on the line that they used to ring you and make it appear that they have just answered a call from you when you dial out. Using a different phone prevents this…

Always be careful about clicking links in emails claiming to be from your bank…

The above scenarios happen to people all the time and can be very costly both in terms of money lost, and time and energy spent sorting things out and trying to get your money back. Being a victim of fraud can be very distressing!

Businesses encounter similar things but on a larger scale. When these kind of things happen in businesses, the losses can run to hundreds of thousands, people can lose their jobs and businesses can end up having to close as a result.

Being aware of how you can be defrauded yourself is a good first step in understanding how a business can be defrauded.

There are criminals who specialise in invoice fraud. They look upon your accounts payable department as a potential piggy bank. They will study your procedures and policies and work out how invoices are processed in real time. These can often be at odds! They can do a lot of research before launching their attacks.

How big is the problem?

UK Businesses Lost £93M in 2019 Due to Invoice Fraud:
https://www.pymnts.com/news/b2b-payments/2019/uk-finance-invoice-fraud-scams/

Study Finds Half Of UK Firms Vulnerable to Invoice Fraud:
https://www.pymnts.com/news/b2b-payments/2019/uk-invoice-fraud-email-phishing-scams/

Why and how does invoice fraud happen?

Simply put, invoice fraud involves fraudsters getting paid when no money is owed. They achieve this by trickery, subterfuge and taking advantage of flaws in their target companies accounting, procurement and payment systems.

The why is simple – day to day business activities, by their nature, expose businesses to fraud risk. They buy and sell things, pay for services, rent and lease property, plant and vehicles. They insure things, employ people, hold and transfer cash, earn an income etc.

All these activities can be vulnerable to fraudsters.

Some common invoice frauds are:

Staff writing out cheques that they or an accomplice cash themselves or pay via companies that they have a financial interest in – this is generally the easiest form of fraud to detect as there is a clear trail to follow, but only if there is a system of checks and balances in place that reveal the fraud. A cursory audit might match a cheque to an invoice, but it may take a more involved audit to discover that the same cheque was used to transfer funds in response to a fraudulent invoice
False invoices are paid because there are poor auditing procedures in place – in this case a fraudster just takes a chance by sending out an invoice and taking a chance that it will be paid. This was happening in 1989 when I first started working in the security industry and still happens today. That tells me that enough of these invoices get paid to make it worth someone’s time
Invoices can be inflated, so you end up paying more than you should. This is not always fraud, genuine mistakes do happen, but it indicates poor controls
Duplicate invoices. Again, not always fraud, genuine mistakes do happen, but it indicates poor controls. I spoke to an investigator who told me that he knew of a company that had paid the same invoice to a fraudster 3 times after it was simply resubmitted, unchanged, 3 times…
Fraudsters use your own procedures against you – for example if you have a policy of paying invoices under a stated amount without checking legitimacy due to the associated cost involved in processing then fraudsters quickly learn to submit invoices below that level. A red flag in a case like this, would be a sudden increase in the number of small sum invoices
A fraudster successfully convinces your accounts payable department to change bank details so that funds are paid into their accounts rather than the rightful payees. This can be done by using forged letterheads or spoofing emails. This is only usually discovered when the legitimate payee asks why they haven’t been paid. The problem the business faces here is that they’ve been defrauded, and still owe the money! These changes in payment details can also be made by an insider or someone who gains access to your systems. The simplest case I heard about was someone posing as an early morning cleaner who discovered user passwords left under computer keyboards in the accounts payable team area. The fraudster simply logged in and changed details to redirect funds. This demonstrates the importance of ‘clear desk’ enforcement generally, (it reinforces a security awareness mindset) and additional security checks in higher risk areas
VAT part of an invoice being inflated and hoping that you won’t check

The above is far from exhaustive. Although invoice fraud can be very sophisticated it generally isn’t. In many cases it relies on poor systems and inadequate checks and balances on the part of the target business.

The insider threat!

Businesses often bury their heads in the sand but the biggest threats to a business can be their own employees or other people with legitimate access to their premises and systems. There was an interesting articles published in 2016 in Financier Worldwide Magazine that’s worth reading. (Link below)

Although not directly addressing invoice fraud it does make a strong case for greater security awareness. If you are not familiar with the insider threat, then this article will certainly be an eye opener!

Defending against insider fraud:
https://www.financierworldwide.com/defending-against-insider-fraud

What can security do to help a business defend against invoice fraud?

Many businesses have ‘clear desk’ and other policies and procedures in place, to protect assets and detect suspicious behaviour.

I’ve spoken to numerous colleagues who work in buildings where they enforce a clear desk policy but without a clear understanding of why it is important, and what they help prevent by being so diligent.

If you find a laptop left on someone’s desk a ‘clear desk’ policy would usually stipulate that it be removed for safe keeping, logged, reported and signed back out to the user when they returned to work. So far so good!

However, how long was that laptop left unattended? Had the user left their password accessible so that someone else could have logged in, loaded it with malware or a virus, created a backdoor in to the company’s system, then shut it down, without the legitimate user being any the wiser?

Even without the password, having a laptop available makes it easier for hackers to interfere with it.

How damaging would it be for you, never mind a business, if someone installed spyware that transmitted every keystroke, every site or intranet page you visited, every username or password that you typed, to a hacker?

Do you have a system for monitoring out of hours attendance at the office? There are many legitimate reasons why someone might attend work out of their normal working hours, however if no one is aware of it, then it’s going to be difficult to verify these reasons.

If you can limit access only to those areas that people need access to, you should do so. If you work in an open plan style building where someone has a lot of access once they pass the security point, you need to consider other options. Random patrols and floor checks should be carried out where possible.

In one building I was asked to carry out a count of how many desktop PCs there were in use on people’s desks. The building manager then compared this to the number that he was paying for and found a discrepancy in the client’s favour as they were paying for more equipment that was actually in use. Although this case didn’t turn out to be fraud it does show how a proactive approach and innovative measures can save a business a lot of money.

How do we stop invoice fraud?

The best way to deal with invoice fraud is to prevent it in the first place:

Julian Akakpo of Julian Leslie Accountants says that there are several very simple steps that can be taken to help prevent this kind of fraud.

Know who you are paying! Is there a list of approved suppliers?
When changing bank details for a supplier ensure that part of the process involves calling the supplier on their office number and confirming that they are aware of and have requested the changes. Confirm the change in writing to their correspondence address or registered office as a matter of course
Reconcile accounts payable and your bank account monthly
Train people to look for red flags and what those red flags are
Have different employees checking invoices so that a fresh pair of eyes are looking at things