Create a free account, or log in

Checklist: Seven measures to avoid falling victim to invoice scamming

Like many other forms of cyber crime, invoice fraud is on the rise. These seven measures will help businesses mitigate the risk.
Paul Haskell-Dowland
Paul Haskell-Dowland
bond investment scams
Source: Unsplash/Charles Deluvio.

Like many other forms of cyber crime, invoice fraud is on the rise — but the good news is businesses can take measures to avoid this form of fraud, which can hit you and your customers hard.

Invoice scamming involves cyber criminals impersonating businesses, intercepting emailed invoices, changing bank account details and then stealing the invoice amounts from unsuspecting customers. As soon as the money has been paid into a scammer’s bank account, it is often moved offshore, and banks and police then have little authority to do anything to retrieve the stolen funds. Usually, the customer or business that paid the invoice to the fraudulent account is liable for the loss, because the invoice hasn’t been paid to the correct organisation for the goods or services received.

Invoice fraud is a growing problem in Australia and often perpetrated by organised cyber criminals. Australian businesses reported more than $14 million in losses to the federal government’s fraud monitoring body Scamwatch due to payment redirection scams last year. Average losses as at March 30, 2021, were more than five times higher compared to average losses in the same period in 2020.  However, total losses are likely to be much higher as these scams are reported to a range of different organisations and sometimes not reported at all.

What should you do?

Good payment practices by businesses and banks can help to avoid such outcomes.

These frauds are often enabled after businesses send invoices to clients with their bank account details included for payment remittance. As a minimum, businesses should cease sending invoices by email, which greatly opens up the risk of invoice fraud.

Businesses should instead set up more secure online payments systems that have been tested fully for vulnerabilities to fraud. Moreover, if businesses can accept payments through a secure online service, then sticking with that system and not offering customers the option to pay directly into a bank account listed on an emailed invoice would be a safer practice. 

Where bank account transfers are still a necessity, banks should display the recipient account name prior to making a transfer.  This is partly implemented with the payee typically seeing the destination bank; it wouldn’t be too hard to extend this to display the recipient account name to provide reassurance to the payee that their money is going where they are expecting it to go. 

This approach would mirror PayID; a unique identifier such as your mobile number or email address that individuals can link to your bank account to make and receive payments. Invoice scamming involving altering a PayID is less likely as the PayID process displays the ‘name’ of the account holder to the payee. As banks have ID checks for business accounts, it could be worthwhile for businesses to insist on customer payments using PayIDs to provide reassurance for consumers. 

Currently PayID is opt-in only, and businesses must register for the service.  So for now, businesses need to implement secure and robust online payments platforms.

Eliminating the emailing of invoices is a first step. For customers who cannot avoid transferring large amounts direct to a bank account, it would be worthwhile ringing up the recipient to verify bank account details first (not relying on contact details on the invoice).

Another solution is to use BPAY, where the recipient organisation’s name is visible to the payer when they enter the unique biller code of the company being paid.

Fraudsters will look for opportunities to exploit any vulnerabilities in your business processes, particularly where it concerns the collection of money. Therefore, it is crucial for your business to ensure staff who are responsible for making payments are regularly educated about invoice fraud and on guard against it. 

How to protect against invoice fraud

  1. Always check that goods or services were both ordered and delivered before paying an invoice for your business;

  2. Ensure your staff are well trained in the company’s payment processes and the possibility of invoice scamming;

  3. Try to limit the number of people in your business who are authorised to make orders or pay invoices. Make sure the business your billing is the one you normally deal with.

  4. Look carefully at every invoice and compare it to previous ones received that you know to be genuine — particularly the bank account details, wording used and the company logo. Ensure your invoices quote the full legal or ‘trading as’ name. If you notice a supplier’s usual bank account details have changed, call them to confirm.

  5. Do not email invoices with bank account details; these can be intercepted and manipulated. Even PDFs sent as an attachment can be easily modified.

  6. Keep written records of your authorisations for advertising or directory entries. If you receive an invoice or a telephone call, you can go back to your records to check it.

  7. For those business paying invoices, consider setting up single points of contact with the companies you pay regularly.