PDF substitution scam targets finance departments

invoice fraud
istock_andreypopov_if
Share this content

A recent post on Any Answers warned fellow AccountingWEB members about an invoice PDF substitution scam operating across multiple countries and industries.

The scam works when a criminal intercepts a genuine PDF invoice emailed from a supplier. This is then edited by the fraudster to change the bank details to an account under their control, and resent to the buyer from an email account made to look similar to the supplier’s email address.

The invoice is then settled by the buyer’s Accounts Payable, but to the doctored bank account details, and the fraud is only discovered when the genuine supplier contacts the buyer to ask for payment.

Why it succeeds

Accounts Payable (AP) may attempt to check the new bank details by replying to the email address on the new invoice, but as this is controlled by the fraudster it is more than likely they will write back to confirm.

The scheme often succeeds because many people believe PDFs cannot be edited, but this is not the case and there are commercial editing tools available for such purposes.

Another way the scam thrives is through the practice of one person (e.g. the AP clerk) changing the bank details while another (e.g. the CFO) authorising payments. This separation of activities makes it harder for staff to defraud their own company, but easier for an external party to trick AP without the authoriser’s knowledge.

This particular scam targets high value invoices as it requires a large amount of manual work to break into a network, view the emails, edit a PDF, make a new email account, send a new email, set up a bank account and withdraw the stolen funds. Thieves, therefore, monitor email accounts for high value invoices before striking.

Companies need to be cautious

Commenting on the recent uplift in this type of fraud David Clarke, trustee director of the Fraud Advisory Panel, said that his organisation had seen a lot of these scams. “They’re becoming very popular and companies have to be especially careful to double check their invoices”, said Clarke. “Also, companies need to be cautious that the PDFs don’t contain ransomware.”

Clarke also emphasised the need for vigilance around company names and bank details, as banks do not routinely check names against sort codes and account numbers - something he has written about here.

How to stop it

There are products available such as web portals and document digitisation that protect against this sort of fraud, but they do come at a cost and even companies with these tools may have to stray off the path occasionally to purchase high-value items invoiced by email.

To protect themselves all finance departments can take the following actions:

  • Always phone to confirm a change of bank details, preferably speaking to a known contact at the company in question.
  • Never just use the details on the email or invoice to contact the company making the account change. Cross-check their details with a trusted source (e.g. your own database).
  • For payments above a certain size consider setting up a phone call or meeting with the invoicing company to ensure the payment is sent to the correct account.
  • Check invoices for irregularities, including changes of name, transaction value or address. Also scrutinise the invoice for changes to its appearance, e.g. blurring of the company logo caused by editing of the PDF.
  • Put in place a procedure to ensure that if the payment is made by someone other than the person changing the bank account details, any account changes are flagged before payment is processed.

Have you or your finance department come across this scam? If so, how did you catch it?

About Tom Herbert

Tom is acting editor at AccountingWEB, responsible for all editorial content on the site. If you have any comments or suggestions for us get in touch.

Replies

Please login or register to join the discussion.

avatar
By NH
12th Oct 2016 17:08

I never would have thought of this, a very useful article, you have to be so careful these days.
Another option would be to download the invoice from the suppliers site/portal rather than opening an attachment

Thanks (1)
to NH
14th Oct 2016 17:08

NH wrote:

I never would have thought of this, a very useful article, you have to be so careful these days.
Another option would be to download the invoice from the suppliers site/portal rather than opening an attachment

It is time consuming having to log into every supplier portal, remember the password and navigate the site to try and find the invoice. Multiply that by several invoices and it is sucking up a lot of time. There must be a better solution.

Thanks (1)
to jon_griffey
14th Oct 2016 19:27

A potential solution is 'secure sharing' where a supplier emails a secure link which leads to a secure website where the invoice is hosted. We are working on such a solution for some of our clients at the moment.

Thanks (0)
13th Oct 2016 09:54

Another option to solve this problem is to securely share the invoice through a portal such as MyDocSafe. If an invoice has to be emailed, it could be digitally signed first. The recipient can then check the authenticity of the signature to make sure that the contents of the emailed file has not been compromised.

Thanks (0)
avatar
By zxcvb
13th Oct 2016 10:48

We had exactly this situation - a customer's email was hacked and an email we sent was altered. Only discovered when we chased for payment they thought they had already paid.
Customer lost several thousand £.

Thanks (1)
avatar
13th Oct 2016 12:22

To show how you cannot be too careful these days, have a read of this recent disturbing case of a brazen £1m property fraud that cost the poor defrauded buyer £1m .

http://www.bailii.org/ew/cases/EWHC/Ch/2016/2276.html

It's hard to see what could have been done differently by the buyer in that case.

Thanks (1)
avatar
to Justin Bryant
13th Oct 2016 18:00

Justin Bryant wrote:

To show how you cannot be too careful these days, have a read of this recent disturbing case of a brazen £1m property fraud that cost the poor defrauded buyer £1m .

http://www.bailii.org/ew/cases/EWHC/Ch/2016/2276.html

It's hard to see what could have been done differently by the buyer in that case.


A very interesting and rather terrifying case. The fraud appears to have been 100% successful. The fraudulent seller seems to have got away with the money and the defrauded purchaser had no recourse and lost £1m plus legal costs which for a 5 day case involving several QCs must have been in six figures. It makes one wonder whether purchasers of properties ought to insist on seeing the same identity documents as the sellers' solicitors in cases where they have had no contact with the seller and therefore no opportunity to make common sense checks that the person claiming to sell the property is in fact the true owner.
Thanks (1)
avatar
13th Oct 2016 14:49

Just spoken to a supplier who asked us why we didn't check his invoice when the BACS payment bounced back and maybe this answers his question. Surprisingly, my new company insists on paying suppliers by cheque on large amounts just to counter such a situation knowing the cheque can only be banked by the intended recipient.

Maybe the old fashioned ways aren't so bad...

Thanks (1)
avatar
17th Oct 2016 12:02

Good article Tom. We also encourage our users to turn on reference data audit for Creditors so any changes to bank account or payment terms are tracked and checked prior to running a payment process.

Thanks (1)
avatar
06th Dec 2016 08:25

Another solution is to automate invoice fetching. There are several software that have this feature. Few month ago I started to use www.getmyinvoices.com. This is cloud based software allows to automatically collect, find and transfer incoming invoices to other bookkeeping services. It protects from invoice scam and takes that whole mess away and keeps finance happy with me!

Thanks (0)