When discussing the importance of cybersecurity and the myriad of ways in which businesses can be scammed of their hard-earned dollars, one of the most common and devastating forms of cyber-attack is often overlooked – invoice fraud. This is the type of fraud where a criminal poses as a supplier or business partner and convinces a company to pay them for services that were never rendered.
“Invoice fraud could happen to businesses of all sizes,” said Katy Worobec, Managing Director of Economic Crime at banking trade body, UK Finance. Just ask Google and Facebook, who were last year scammed out of $23 and $100 million dollars respectively by a cybercriminal from Lithuania who sent them fraudulent supplier invoices. Katy continues, “The gangs behind this type of fraud are increasingly sophisticated and will often get hold of details that allow them to pose convincingly as regular suppliers. If someone contacts you asking for a supplier’s bank account details to be changed, always verify with that supplier separately on the phone or in person, using the contact details you have on file.”
Representatives from Google and Facebook say they were fortunate enough to retrieve their lost funds, however most companies who are victims of invoice fraud, are not so lucky, experiencing a devastating impact on their financial stability and in some cases even being forced into bankruptcy. When denim company, Diesel Jeans, filed for bankruptcy last year, the company cited invoice fraud as a significant contributing factor to its financial woes. While Tillage Commodities LLC, lost 64 percent of its total capital to invoice fraud over the course of just 21 days. The company was then fined $150,000 by the Commodity Futures Trading Commission for failing to supervise its funds.
In fact, invoice fraud is the biggest problem in the world of cybersecurity and unfortunately, it is on the rise. According to the FBI, the amount of money that scammers attempted to steal through invoice fraud grew 136% between December 2016 and May 2018, with more than $12 billion targeted worldwide between October 2013 and May 2018.
However, despite invoice fraud costing businesses in the UK £93 million in 2018 alone, according to a survey by UK Finance, more than 4 in 10 businesses are unaware of the risks. Of the 1,500 firms across the UK that were surveyed, 55% of sole traders were aware of the threat of invoice fraud, compared with 68% of small to medium enterprises (SME’s) and 84% of large businesses. Despite large businesses taking measures to mitigate the risk of invoice fraud, they were still more likely to be the victims of it compared to smaller companies.
In a very typical invoice fraud scenario, hackers will convincingly imitate the email address of a known supplier where they have carefully monitored the interactions and payment processes between their victim and that supplier, including when regular payments are due and for what amounts. The hacker then sends a convincing invoice for services rendered and / or submits a request for their bank account details to be changed to an account controlled by them rather than the genuine supplier.
While cyber-attacks such as customer’s contact details being disclosed, can cause reputational and competitive damage to a company, invoice fraud results in immediate financial loss and your company’s hard-earned dollars flushed down the drain.