Fake invoices leave businesses at risk
While being duped by fake or duplicate invoices remains a concern for finance professionals, according to recent research businesses remain exposed to such risks, with a failure to ensure that invoices always come in to the same place before being approved and an ‘it won’t happen to me’ attitude cited among the main reasons.
The research, conducted for cloud expenses company Concur, examined the supplier invoicing practices of 500 companies, found that over one fifth of companies had received fake invoices, while 3% of companies admitted to actually paying falsified demands.
‘Little hope’ of getting money back
Commenting on the study Chris Baker, UK Managing Director of Enterprise at Concur said: “if only 3% know they’ve paid a fraudulent invoice, how many more companies have absolutely no idea and have paid, or are still paying, fraudulent invoices?
“Once companies have paid the invoice, there is little hope of getting the money back, but it’s not just about the initial outlay, businesses will be falsely reclaiming VAT and are at risk of penalties, plus investigation if HMRC deems that their processes are at risk.
Katy Worobec, Director of Financial Fraud Action UK added: “Criminals target businesses because they know successfully scamming a company can potentially net them far more money than they could steal from an individual.
“Fraudsters know businesses are used to processing many kinds of payments and so a simple request to change invoice details or provide financial information has a chance of deceiving an accounts department.”
Fraudsters back to ‘tried-and-tested’ techniques
David Clarke, trustee director of the Fraud Advisory Panel believes that invoice fraud is changing because of the measures many firms have put in place protecting data and security.
Clarke said that the fraudsters have “gone back to old tried-and-tested techniques like social engineering, with humans being the weak link.
“If you can’t get an insider then try to get people to trust you,” continued Clarke, “and then you can hit them with ‘we’ve just changed our details’ or ‘moved our account’. People are often just too busy to notice.
“The change has come about because other measures have been successful, so they’ve now got to get clever and go back to the old methods.”
Concur’s Chris Baker added: “The fact is that invoicing is still very much a manual process and people won’t get it right all the time. If a scammer gets a fraudulent invoice past your finance team once, they’ll chance their arm until you stop paying. It’s not unlike phishing in the sense that once a weak spot has been identified it will be exploited time and time again”.
Call back, share information
To avoid falling victim to the fraudsters Katy Worobec from Financial Fraud Action UK recommends you should “be on alert if you receive a call or email out of the blue asking you to update any payment details. If you’re ever in doubt about a request or an invoice, ring back the company on a number that you know, and ask to be put through to a person who you have spoken to before.”
“The villains actively look for someone who’s gullible,” said Fraud Advisory Panel’s David Clarke. “If you have measures in place they move on to the next business. Firms that are savvy about this pick up on it quickly.
“Put information out regularly, I recommend weekly or monthly meetings for anyone in a customer-facing role to share information about potential attacks with members of staff. You don’t have to go on a half day training course to learn this.”
Duplicate payments among ‘deepest concerns’
The Concur study also found that one in three organisations are aware that they have paid duplicate invoices. This issue becomes more widespread as organisations grow, with 59% of firms of between 1,000 and 2,999 employees paying duplicates.
Duplicate invoices were considered more worrying than fraudulent ones, with 34% of respondents citing duplicate payments among their deepest concerns, while only one in five of those surveyed list fraud as a concern.
Has your firm received fake or duplicate invoices, or does your company have a dependable system to deal with these sorts of issues?