Payment Security 101
Learn about payment fraud and how to prevent it
Have you ever paid an invoice that turned out to be fraudulent? It’s more common than you think, with Xero stating that nearly 1 in 5 Australian small businesses become victims of invoice fraud, costing $15,500 on average.
As scary as that may sound, there are ways to protect yourself from falling victim to these criminals — but only if you know what to look out for! Take a look at these invoice fraud statistics and use them to ensure your company never has to pay another fraudulent invoice again!
The ACCC demonstrates how dangerous payment redirection scams have gotten over the past year. In 2021, Australians accumulated $227 million in payment redirection scams which is a 77% increase compared to 2020. The report shows that this form was the most financially damaging for businesses.
Fraudulent invoices are frequent in the Accounts Payable department. Verifying an invoice or email may not be time effective. An easy way to identify a fraudulent invoice is by double-checking information like email addresses, invoice numbers, payee details, and bank account information. When you follow a verification process and employ a callback control system, you are less likely to take the risk.
Business Email Compromise (BEC) is a common method by scammers to send fraudulent invoices, resulting in the highest losses of all scam types in 2019. The scammer sends emails to the business’ clients asking them to make payments to a fraudulent account.
Invoice fraud is becoming more frequent among Australian businesses. The Xero survey highlights small businesses are the most targeted in invoice fraud. This data can be concerning for CFOs or AP teams that don’t prioritise their security around invoice verification.
The Small Business Ombudsman, Kate Carnell, cites the dangers to small businesses of having their invoices intercepted by scams. Scammers are evolving their attacks. Not only is the perpetrator draining the organisation’s bank accounts, but they are erasing their tracks and becoming harder to track, making the attack more difficult to spot.
Cybercriminals are increasing their attacks on Australian SMEs every year. Business owners and CFOs must prioritise their cyber security controls to minimise the risk of a BEC attack. During the pandemic, invoice and payment fraud campaigns soared. Scammers were quick to realise that some SMEs did not prioritise their cybersecurity controls on remote devices.
Shark Tank Star Barbara Corcoran lost $388,700 as a result of invoice fraud. Fraudsters took advantage by impersonating Barbara’s assistant. The fake email was then approved by the bookkeeper which enabled the scam. Be sure to review any new payment details or amended invoice payment methods before settling any debts.
Reports by Scamwatch found that NSW is the most targeted in false billing scams. Email is the most common delivery method of scamming finance teams. Despite these numbers coming from complaints reported to the ACCC, you can expect that there are significantly more scams that aren’t reported.
When it comes to cybercrime, all businesses can be at risk. In this case, Amazon was a victim of invoice fraud. The company had been defrauded of $19 million for items that were never purchased. The attack was initiated by four brothers that had manipulated data to make illegitimate payments.
Secure invoicing is a process that must be prioritised around all financial individuals involving CFOs, finance managers, & accounts payable departments. Best practices in securing invoices are, verifying the company name on every invoice, checking the payable address, and comparing receipt of goods and purchase orders.
In 2021, Scamwatch continued to see record levels of scam activity in Australia. Aside from business disruption, cybersecurity breaches can result in things like data loss and reputational damages, which can lead to devastating effects on your personal life.
Invoice fraud statistics highlight the occurrences among men & women aged 45 to 54. Scammers are familiar with the financial advantages that this age group has compared to a younger demographic.
As part of the $712 million Medicare fraud scheme, 243 individuals involving 46 doctors, nurses, and other licensed medical professionals have been charged. The Department of Justice states “this action represents the largest criminal health care fraud takedown in the history of the Department of Justice”.
Businesses are faced with paying several invoices every month to maintain strong supplier relationships. A fake invoice scam could arise when the business is under a lot of pressure. AP departments who cut corners around the verification process could pose a huge risk to the organisation.
In light of such glaring data, there has been a greater push toward the adoption of e-invoicing among businesses as a way to counteract invoice fraud & duplicate payments. E-invoicing allows companies to streamline their invoice processing cycles, improve efficiency in approving & tracking as well as faster payment schedules.
Business invoice phishing emails are continuing to rise each year. The ITRC reports that organisations can expect to see more weekly emails where a business executive’s email is spoofed to steal sensitive data.
Duplicate invoices occur when a supplier or group submits duplicate or inflated invoices to defraud the company of money. Scammers utilise this tactic to target companies that have poor administration practices.
Without automation or a better-managed process, you may be paying an invoice twice. Other than coordinated attacks, an intentional error is a significant factor when it comes to duplicate payments. One common method is when finance team members alter the invoice number by adding additional characters.
One reason for duplicate payments is redundant entries of vendors in enterprise resource planning (ERP) systems. Some accounting teams don’t spend much time inputting the vendor list and information. When the vendor list isn’t monitored and maintained correctly, there will likely be more than one data entry.
A few steps that CFOs can do to reduce duplicate payments are reviewing the vendor master files on an ongoing basis, limiting manual check requests, establishing a standard policy for invoice numbering and adopting a vendor payment policy.
Digital Shift suggests that artificial intelligence (AI) powered systems can help reduce duplicate payments through invoice detection. According to David Disque, the CSI President, “the most prevalent errors result from human error due to manual procedures”.
Even if these numbers might seem small, one wrong or duplicate disbursement could total up to tens of thousands of dollars and seriously affect your finances.
A company’s external and internal threats must be considered when assessing its risk profile. However, most insider threats go undetected. In this case, Stephen Jones transferred the money to his account from an invoice he created. Being part of the company allows an employee to engage in internal fraud easily when they have access to company data.
Philip Charles, a 64-year-old resident of New Jersey, created several shell companies to embezzle Toys R Us and Tumi Luggage of a combined $3 million. This is just one incident of an extensive operation that resulted in the company’s extensive losses.
Usually, the most complex, inventive and creative insider threats are difficult to detect. These all have a common objective, to defraud or sabotage the company’s finances. Defending against this crime involves reviewing permissions and authorisations on invoices, rotating duties, and providing employees with cybersecurity training that can help them spot malicious behaviour.
According to Conoco, the employee embezzled nearly $7.3 million, but the criminal charges so far only allege they stole about $3.1 million. The employee had set up a supply business together with another individual orchestrating fraudulent payments.
There is no playbook that scammers use when it comes to creating a fraudulent invoice. Scammers are coming up with innovative ways to deceive your accounts payable teams. Follow these tips on identifying a fake invoice:
– Any information on the invoice that may seem unusual like spelling mistakes or special characters
– The account numbers look different across the whole invoice e.g. different fonts or sizes
– The company logo looks altered or replaced
– The email address is not the same as listed on the invoice compared to your emailing database
– Purchase order numbers are different to what you have in your company records
– Order details have been altered either with vague terms or for larger items that were not agreed upon
Scamwatch reports that the most common form of delivery is email, but phone, text message, internet, mail, social networking, and other forms are also options. After gaining access to your email, the scammer can impersonate an employee, collect sensitive information, or steal your identity.
If you’re worried about how your business can reduce risk, make sure to check any invoice information that you’re suspicious of, follow up on any alterations in billing information, and limit the number of people who can make payments.
Often, the company which pays the invoice for the goods or services to the fraudulent account is responsible for the loss because they failed to pay the invoice in the first place. Yet, each case varies. Tracking the origin of a scam can lead investigators to identify the person responsible.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.