PDF substitution scam targets finance departments
A recent post on Any Answers warned fellow AccountingWEB members about an invoice PDF substitution scam operating across multiple countries and industries.
The scam works when a criminal intercepts a genuine PDF invoice emailed from a supplier. This is then edited by the fraudster to change the bank details to an account under their control, and resent to the buyer from an email account made to look similar to the supplier’s email address.
The invoice is then settled by the buyer’s Accounts Payable, but to the doctored bank account details, and the fraud is only discovered when the genuine supplier contacts the buyer to ask for payment.
Why it succeeds
Accounts Payable (AP) may attempt to check the new bank details by replying to the email address on the new invoice, but as this is controlled by the fraudster it is more than likely they will write back to confirm.
The scheme often succeeds because many people believe PDFs cannot be edited, but this is not the case and there are commercial editing tools available for such purposes.
Another way the scam thrives is through the practice of one person (e.g. the AP clerk) changing the bank details while another (e.g. the CFO) authorising payments. This separation of activities makes it harder for staff to defraud their own company, but easier for an external party to trick AP without the authoriser’s knowledge.
This particular scam targets high value invoices as it requires a large amount of manual work to break into a network, view the emails, edit a PDF, make a new email account, send a new email, set up a bank account and withdraw the stolen funds. Thieves, therefore, monitor email accounts for high value invoices before striking.
Companies need to be cautious
Commenting on the recent uplift in this type of fraud David Clarke, trustee director of the Fraud Advisory Panel, said that his organisation had seen a lot of these scams. “They’re becoming very popular and companies have to be especially careful to double check their invoices”, said Clarke. “Also, companies need to be cautious that the PDFs don’t contain ransomware.”
Clarke also emphasised the need for vigilance around company names and bank details, as banks do not routinely check names against sort codes and account numbers - something he has written about here.
How to stop it
There are products available such as web portals and document digitisation that protect against this sort of fraud, but they do come at a cost and even companies with these tools may have to stray off the path occasionally to purchase high-value items invoiced by email.
To protect themselves all finance departments can take the following actions:
- Always phone to confirm a change of bank details, preferably speaking to a known contact at the company in question.
- Never just use the details on the email or invoice to contact the company making the account change. Cross-check their details with a trusted source (e.g. your own database).
- For payments above a certain size consider setting up a phone call or meeting with the invoicing company to ensure the payment is sent to the correct account.
- Check invoices for irregularities, including changes of name, transaction value or address. Also scrutinise the invoice for changes to its appearance, e.g. blurring of the company logo caused by editing of the PDF.
- Put in place a procedure to ensure that if the payment is made by someone other than the person changing the bank account details, any account changes are flagged before payment is processed.
Have you or your finance department come across this scam? If so, how did you catch it?