A Perth-based car dealership has been slammed with a $65,000 loss after falling victim to an invoice scam, despite taking best efforts to verify the invoice as legitimate.
In a warning posted by the Western Australian government’s Department of Industry Regulation and Safety, commissioner for consumer protection David Hillyard warned businesses of a rise in invoice scams and advised vigilance.
Invoice scams are just one of the numerous ways cybercriminals and con artists attempt to trick small businesses into paying up for fraudulent invoices or divulging sensitive information.
In such cases, businesses will often receive an invoice from a party claiming to be a supplier, with the invoice looking almost identical to a real invoice. Many business owners then pay the invoice unknowingly, assuming it to be legitimate.
The car dealership, which was unnamed by the department, had recently made a purchase from a supplier and received an invoice with the correct payment details. However, a week later the dealership received a different invoice via email from the scammers, who asked for the payment to be made to a different bank account.
The dealership had a number of practices in place to verify the legitimacy of the new invoice, including requesting the invoice be supplied on the company’s letterhead and seeking verbal confirmation from the scammers.
The invoice was provided on the letterhead, but attempts to contact the scammers were unsuccessful. However, the $65,000 invoice was paid anyway.
It took a week for the business to realise it had been scammed, only working it out after the real supplier rang and asked about the status of the payment.
“All businesses need to be alert to attempts by scammers to intercept payments that flow to and from their accounts and ensure their email accounts and computer systems have security software to reduce the likelihood of becoming a victim of hacking,” Hillyard said in a statement.
“The real estate industry has been targeted in the past with huge losses suffered, so now motor vehicle dealers need to be vigilant as scammers will use this recent success to make further attempts to steal money from other business operators.”
“Spidey senses” required
This is far from the first time businesses have fallen victim to similar invoice scams, with the last decade seeing a significant rise in the unique scam variant. According to the Australian Competition and Consumer Commission, Australians have lost $3.3 million in 2018 alone to false billing scams.
False billing scams are rarely as coordinated at the one which affected the mentioned car dealership, however, usually taking the form of a spray of emails attempting to impersonate popular SME accounting software providers such as Xero or MYOB.
One such business hit by a similar invoice scam was safety wear brand Totally Workwear, who told SmartCompany earlier this year about the devastating event which left the business $70,000 out of pocket.
Instead of receiving a fake invoice and blindly paying it, the business didn’t actually know it was being fleeced for thousands of dollars for months on end because cybercriminals had infiltrated the business’ accounting systems and changed the banking details for its 90 suppliers.
“We didn’t find out about it until we got calls from creditors who didn’t get paid,” the store’s director James Hogan told SmartCompany.
“Only then we found out there had been a cyber attack.”
Garrett O’Hara, principal technical consultant at Mimecast, advised business owners and employees earlier this year to use their “spidey senses” to remain vigilant when filtering out scams, and to check with payroll staff and security teams if they are unsure.
“Five minutes to ask could save a lot of time … and embarrassment!” O’Hara said.
WA’s Department of Safety advised businesses to regularly check their bank accounts and email servers for any irregular activity, with Hillyard saying SME owners should look to install business-grade security software to help mitigate these sorts of scams.
“All businesses need to be alert to attempts by scammers to intercept payments that flow to and from their accounts and ensure their email accounts and computer systems have security software to reduce the likelihood of becoming a victim of hacking,” Hillyard said in a statement.
“Closely scrutinise all invoices and query any changes to ensure that the payments are going to the correct accounts. Get a verbal confirmation of email requests to change the bank account details of suppliers and clients, and ensure all staff members are aware of the anti-fraud procedures and the importance of adhering to them without exception.”
Comments