Invoice fraud: real-world examples and prevention tactics
Corcentric
Organizations are well aware of the threats to their business from cybercriminals. We are, unfortunately, getting used to news stories about massive data breaches, phishing attempts, and ransomware attacks that expose the private data of an organization and its customers. But bad actors don’t always need to go to extremes to get money out of an organization.
The Accounts Payable (AP) department is one area that has significant exposure to invoice fraud: where invoices are manipulated to deceive a company into paying for goods or services that were never delivered or for amounts that are inflated. The use of email to conduct business has made invoice fraud easier and more widespread. With so many businesses bombarded with the sheer volume of email communication for invoicing and payments, it opened new avenues for criminals to exploit. In fact, the practice of Business Email Compromise (BEC) has become its own form of crime.
A 2022 article in Supply & Demand Chain Executive found that “U.S. companies are losing an average of $300,000 per business annually and 25% of finance professionals are unaware or unable to estimate the cost of invoice fraud to their business.” That last point could mean that losses are even greater than estimated.
Common invoice fraud schemes
Whether you refer to them as bad actors, threat actors, fraudsters, malicious actors, or scammers, these people are all criminals, using various social engineering techniques to carry out invoice fraud. These include manipulating employees through phone or email by pretending to be a legitimate vendor or other contact. Fraudsters in these cases can pose as vendors or company executives or employees and request changes to bank details, rerouting payments to the fake vendor’s bank account instead of to the legitimate vendor. Often, the email addresses and invoices look legitimate with only minor grammatical errors.
Here are some examples of ways your AP organization and payments may be vulnerable to invoice fraud:
Example #1 – Employee email impersonation
Although most people and companies don’t want to admit to being scammed, one well-publicized case involved “Shark Tank” judge and founder of real estate brokerage firm, The Corcoran Group, Barbara Corcoran. In 2020, a fraudster, pretending to be Corcoran’s assistant emailed the organization’s bookkeeper. The email contained an invoice for $400,000 that was for renovations for an investment property in Europe. Authorization of the invoice was given for a wire transfer of the amount by the impersonator.
On a CNBC segment later in that year, Corcoran explained how it happened. “The story was totally plausible because I invest in a lot of real estate and do a lot of renovations for a living.” The problem was that the investment property didn’t exist, and the email wasn’t really from Corcoran’s assistant; instead, a scammer created a new email address for the assistant leaving out just one letter of her name. When the bookkeeper copied the assistant on an email about the invoice and wire transfer, the fraud was exposed. Fortunately for the company, even though the money was gone from Corcoran’s account, her New York bank froze the money before the scam could be completed.
In this case, the scammers were in China, but they could be from anywhere. AP professionals receive so many emails, it would be easy to miss something as simple as a letter missing from a known name, whether that’s an assistant or a CEO.
Example 2: The phantom vendor
As I noted in the above example, most companies/people don’t publicize their vulnerability but that doesn’t mean the fraud has not happened. Here’s how this type of fraud occurs: a fraudster registers a company name similar to one of the firm’s real vendors and sets up a bank account in the fake company’s name. Once that happens, the fake supplier submits invoices for various products. If this isn’t caught, then payments are processed for goods that were never delivered.
This actually happened to a technology firm that paid out $47 million for fake invoices to fraudsters posing as existing suppliers. What made this even more insidious was that the invoice descriptions corresponded with a series of legitimate deals, thereby not raising immediate suspicion. These fake invoices may mimic the look and layout of authentic ones, including realistic logos and contact information, all with the purpose of deceiving AP into approving and making payments.
Often, this type of fraud, if not caught earlier, is uncovered during a routine audit and points to the need for a stringent vendor verification process, including background checks and verification of business legitimacy, as well as a need for AP organizations to be diligent in their payment processing. That could mean regularly verifying contact details, ensuring the email addresses, phone numbers, physical addresses, and approved bank match those on record.
Example #3 – Payment redirection
This type of invoice fraud is as simple as sending an email to an individual identified as being responsible for dispensing payments. In this situation, the fraudster doesn’t create a new fake vendor; he or she simply pretends to be someone from a legitimate vendor informing the buyer that the bank of record has changed. A new bank account with new bank account details is put into the system and all invoices for that supplier will now be paid into that account.
In one instance, a community college lost several hundred thousand dollars after an employee was tricked into changing supplier payment information. The email, which appeared to be from a known contractor, detailed a new banking arrangement and directed upcoming payments to a fraudulent account.
Again, this type of fraud, if not caught immediately, will soon be exposed when the supplier calls wondering why their bank of record has not received payment for goods delivered. By then, both buyer and supplier have lost, not just money, but trust as well.
Example #4 – Account takeover
This type of invoice fraud is more in line with what we know as hacking and takes some amount of technical know-how. In this situation, the hacker would gain unauthorized access to a user’s credentials, in this case, someone associated with payments. Once this is accomplished, the hacker could create fraudulent transactions or change disbursement details for legitimate payments (as seen above in example #3).
How you can mitigate your vulnerabilities
Vulnerabilities come from a variety of issues including manual processes, weak internal controls, an insufficient verification process, limited due diligence, and outdated vendor data. All of these are associated with human error or lack of follow-up; but it’s important to also realize that every time you close one loophole, bad actors figure out another way to take your company’s money, unlawfully.
The examples above show how easy it can be to trick employees into approving fraudulent invoices, so educating your staff regarding social engineering threats is vital. You should institute:
- Regular training – Conduct consistent and up-to-date training sessions on recognizing social engineering techniques.
- Communication channels – Encourage the use of authenticated communication channels and verification through known contacts, especially when handling payment details. Make it known that no one should pay an invoice without verification.
- Promote skepticism – Train employees to approach unsolicited requests, especially those involving financial information, with a healthy level of skepticism
- Incident reporting – Create a clear, blame-free process for reporting suspected fraud attempts.
In addition to the above, there are best practices you can take to build a more secure and compliant AP environment:
- Segregation of duties – Ensure that no single employee manages all aspects of the invoicing and payments process.
- Regular audits – Implement scheduled and random audits to check the veracity of payments and the authenticity of invoices.
- Technological solutions – Employ software that detects duplicate invoices, inflated invoices, or unusual payment activity.
- Employee education – Phishing attacks can be relentless. Regularly train staff on recognizing fraudulent emails and the importance of verifying payment details.
- Enhanced verification protocols – For any changes in vendor payment details, institute a stringent, multi-person verification process.
- Vendor validation systems – Regular reviews of vendor details, including the use of vendor validation services.
One of the best ways to stop fraud is with the StopFraud™ validation system
Mitigating fraud means stopping it before it even starts. Corcentric considers your and your suppliers’ security as our highest priority. That’s why we’ve integrated StopFraud™, a state-of-the-art twelve-step validation system that protects you and your suppliers from potential fraud.
A few of those steps include:
- Assignment of a customer-specific access code to each online registration website for added protection
- Tax ID number matching validation through the IRS TIN Matching System
- S. Postal Service address validation confirming the address supplied corresponds with a legitimate location
- Dual factor authentication requiring a specialized code delivered and provided for any updates
Download our datasheet for a full list of the twelve steps and a complete definition of each step.