Cybercrime is on the rise in South Africa, and it is becoming more and more sophisticated. As almost everything moves online, criminals have found a large and ready market for their endeavors.
Making online transactions is viewed as the norm, rather than with suspicion, which has led many people who are not very cautious to fall for tricks.
We have heard of many types of digital or online fraud, such as email phishing or sim card swap. A lot has been written about that and how to avoid being a victim.
Another trend that is picking pace in the country is ‘invoice fraud’.
This type of fraud mostly targets businesses and companies, rather than individuals.
How invoice fraud works
Basically, an attacker, sometimes with inside help, or with clear understanding of how the target victim/business operates, takes up the identity of a supplier.
They create invoices that resemble, in all shapes and form, those that are created by the legitimate supplier. The only change they make is on the bank details, which they input their own.
They then send this invoice to the accounts department. If they are taking the identity of a regular supplier, they will often include instructions and a notification of a change in the bank details.
This can come from a very identical looking email address, which would pass as legitimate for any casual eye.
“Many people have seen and encountered the standard approach to change of bank details fraud, also known as invoice fraud. This is where an attacker pretends to be a supplier, they create fake change of bank details letters and email the accounts department to get bank details updated.
“The attack method is nothing new, but the execution has simply evolved. The end game is the same, to steal your money but the criminal syndicate now uses the fact that most people are working from home to target their prey with a more personal approach,” remarked John McLoughlin, the CEO of cybersecurity focused company J2.
“The cyber attacker informs your team that they’re changing banks and asks about the process to do so. They then confirm the details and send this via email. As this is expected, your finance team has a higher likelihood of being tricked and falling for it.”
Different cybercriminals may execute it differently, but usually the steps are as follows:
1. Seek clarification from accounts department on how to change bank details.
2. Notify the company on the new bank details.
3. Send a legitimate looking invoice with the new bank details.
4. Wait for money to be sent.
The initial verification and seeking of clarification with your finance team brings about trust, removes any potential suspicions and increases success rate exponentially.
Higher stake invoice fraud may even involve spoofing your supplier’s phone number, increasing even further the chances of the fraud working.
Depending on the nature of your business, it may takes days, weeks or even months before the crime is detected.
How to avoid being a victim of invoice fraud
Invoice fraud can cause losses amounting to millions of Rands, and maybe even bring down companies. The good news is that with proper due-diligence, is is relatively easy to spot and prevent it, and it is ultimately up to the accounts/finance department to identify and prevent any potential invoice fraud.
Here are some measures you can take.
1. Confirm with the vendor
Often, you will have vendor contacts on file. Any invoice that comes with a change in bank details request, should be confirmed by the vendor, through the contact details on your file.
A phone call and written email should emanate from numbers and email accounts you have dealt with before.
If the amount at stake is large enough, a physical trip to your supplier’s office, or a visit by a known figure from the supplier’s company should be made.
2. Automate your payment platform
Most invoice fraud is as a result of non-existent business/service provided. Having a Customer Relationship Management (CRM) or Contact Management System (CMS) tool, or other similar software can help with that.
This will track your orders, LPOs, invoices, etc. and integrate them in one dashboard. That way, you will never pay for anything you didn’t receive or didn’t order. It can also automate the payments, ensuring money is always released to the correct parties.
3. Keep a close eye on invoice amounts
Every company has different processes and traditions. The amount on an invoice can provide clues as to whether it is fraudulent or not. For example, your company may have a requirement for additional scrutiny for invoices over R10,000. If the fraudster has this internal knowledge, they may send invoices falling just under that e.g. R9950. This should immediately raise eyebrows.
4. Track invoice activity
The corporate world tends to be predictable, and follows certain patterns. For instance, one vendor may only send 1 or 2 invoices per month at fixed dates. If that same vendor then sends, say 5, invoices, that is quite suspicious.
Anything that breaks trends and patterns should be investigated further.
5. Keep your employees happy
A lot of invoice fraud happens with inside help. Employees that are well compensated are happy and unlikely to get involved.
Dishonesty by any employee needs to be dealt with at the early stages, before it blooms into something big. Also, due-diligence on any new hires is paramount, especially if they will be handling sensitive information.