Tackling invoice fraud

Invoice fraud is on the rise. It may involve a spoof email, apparently from the CEO of your organisation, “authorising” the payment of a fake invoice. In other cases the email seems to come from a trusted supplier.

Two of my friends who run SMEs have recently been exposed to invoice fraud, in one case for around £70,000. In both cases the fraud was picked up before payment was made.

But in a lot of cases it isn’t. For instance last year a small Norfolk manufacturer was scammed out of £350,000 by a fraudulent email. And because of the nature of online banking, once the money has left your account it is very hard to retrieve.

There are ways of reducing the risk of fraudulent emails. For large organisations an anomalytics service might be the answer. These services build up a picture of normal email traffic in order to identify unusual emails that can be subjected to further examination.

Another tool is the DMARC email standard. This prevents people sending emails that are apparently from you. It doesn’t of course stop people from breaking into your email account and actually sending emails “from” you. Nor does it prevent phishing attacks. But it is a useful tool nonetheless as it makes it harder for fraudsters.

But the real way to address invoice fraud is through implementing stronger business processes. These will include:

  • Ensuring only properly trained and authorised people are able to make online payments
  • Creating a “whitelist” of approved suppliers and their agreed payment instructions (bank details etc)
  • Double checking any changes in payment instructions from suppliers on the whitelist with people you know are authorised to approve those changes
  • Checking any payment requests made by managers in your company with that person on the phone or face to face (and not as an email reply)
  • Ensuring that appropriate documentation is present and checked before any payment is authorised: this might include an invoice, a purchase order, and a “goods received” slip or equivalent
  • Creating a process where additional authorisation is need to sign off payments
    • Over a certain amount
    • To new suppliers who are not yet on an approved “whitelist”
    • To existing whitelist suppliers who have provided new bank details
    • Where a payment is requested to a country outside normal trading patterns.

Using your common sense and raising a query when something seems odd. (This of course requires a culture that is sympathetic to juniors raising queries. If you don’t have this sort of culture, or if senior staff bully their juniors, this type of fraud becomes much more likely.)

Process won’t be enough on its own though. Training the finance team is also important so they are aware of the nature of invoice fraud. This training should include advice about how to take extra care with urgent or aggressive requests for payment.

Keep cyber safe!