It seems like a legitimate request. A supplier invoice notifies you of a change of bank details. You update your system and make the payment. The invoice looks like any other – seems legit, right? Yet this can be all it takes to become the victim of fraud. You have now paid a large sum of money to a fraudulent third party – with the funds virtually impossible to track and unlikely to ever be recovered.
Invoice fraud, or invoice hijacking, happens when a fraudster sends correspondence advising a change to payment arrangements. It can be days or even weeks before the scam is detected – usually when the legitimate supplier alerts the customer that their account is overdue. By the time the two innocent parties have realised what has happened, it is far too late. The banks will not provide compensation, and most businesses do not have insurance to cover lost funds.
So how does an organisation protect itself? Awareness is the first line of defence; it is vital that your entire team is aware that invoice fraud is increasingly targeting Australian businesses.
To ensure your business doesn’t fall victim to invoice fraud:
- Have a clearly defined process for verifying and paying invoices
- Consider a multi-person approval process for transfers over a certain dollar amount
- Always check new and changed bank details with another method such as a phone call using the details you have on file or from the supplier’s website
- Never seek verification via email as you could be responding to the scammer or they may have the capacity to intercept the reply
- If the wording of an email seems strange or different from usual, verify the request by phone using the details you have on file or from the supplier’s website
- Double check email addresses, because scammers can forge or create a new account that is very similar to the real one
- Ensure all staff know what to look for, and what to do if they are suspicious
- Implement strong passwords within your organisation to prevent hackers accessing your systems
- Consider two factor authentication
- Regularly check your IT systems for viruses and malware and ensure antivirus and spam protection systems are up to date
- Review your insurance policies to find out what you are covered for in relation to cyber-fraud
There are no guarantees of email integrity, so always be on the lookout. Staff awareness and clearly defined policies are the key to protecting your business. For more information, contact a TechPath Security expert on 1300 033 300.
TechPath will be hosting a Cyber Security event in Brisbane in early 2018. Register your interest here to be the first to receive an invitation.