Fake invoicing is a common scam threatening Canadian businesses. In fact, 52% have experienced invoice fraud. While it’s not necessarily easy to avoid becoming a target of these scams, your business can take steps to protect itself.
Today, 37% of Canadian businesses do not have a process in place to prevent invoice fraud. As Detective Alpha Chan of the Toronto Police Service Cyber Crime Unit says, it’s not a question of “if” your business is targeted, but “when.” It’s therefore important to be armed with knowledge of common scams, frequent tactics used to penetrate a business and the processes that can help you spot a scam and mitigate financial losses.
Three types of fake invoicing scams
Invoicing scams involve criminals trying to trick businesses into sending – or redirecting – a payment to a fraudulent account. Today, there are three primary tactics used by fraudsters.
1. Redirection of funds. The first type of scam is where the criminal already knows the businesses that typically send you invoices. They may send an email pretending to be a vendor and tell you that their payment structure has changed, or they have recently switched banks… ‘so please send payment to this new account’. As Detective Chan explains, “This looks legitimate. They might have the proper letterhead. They might even have the proper email from the person who does your communication back and forth.” When a business is tricked, payment goes directly to the scammer and not the intended company.
2. Receipt of invoices from a (fake) new company. The second type of scam occurs when your business begins receiving an invoice – or series of invoices – from a new company. A business who doesn’t do their due diligence could get tricked into paying for products or services never ordered in the first place. This type of scam tends to work if your business gets busy, you have a lot of paperwork coming in and out, and new companies sending bills to your business aren’t sufficiently verified.
3. Accounts receivable interception. The third type of invoicing scam is relatively new, and occurs when a fraudster gets their hands on your accounts receivable list. Armed with this information, they can target the companies that owe you money and request that funds be redirected to them.
Given the frequent incidence of fake invoicing scams, taking steps to protect your business is essential. In the third episode of our podcast series: Real-Life Cyber Crime Stories, RBC Director of Awareness and Education Denise Pratt sits down with Detective Alpha Chan to discuss the types of scams out there and the prevention tactics your business can easily implement.
As Detective Chan explains, criminals do their research to create scams that look and sound legitimate. A combination of awareness and diligence will protect your business from fake invoicing scams. Here are five steps to consider.
1. Watch for Changes – and Validate Them
If new payment instructions are issued from a vendor or customer, it’s best to contact the biller directly to confirm that the new process is legitimate. Keep in mind that picking up the phone is better than relying on email correspondence, which is not secure and can be easily compromised.
In fact, formal verification systems can go a long way to protecting your business. Detective Chan advises to “have a process in place between you, your vendor and any third party, and to put something on paper” as an extra check and balance.
2. Review all invoices closely
Never pay an invoice unless you know the bill is for items actually ordered or for services provided. Even when times get busy, it’s best to verify new vendors or customers and confirm that what has been billed is legitimate and correct.
3. Maintain strong passwords
Many fraudsters succeed at tricking businesses because they can hack into an employee’s email and see confidential invoice information. As Detective Chan explains, “if one of your employees is using a weak password and the email is compromised, [fraudsters] can look through the history of the email and find out what previous invoices look like.” They can also see how employees interact with their vendors and/or customers. Mandating strong passwords across your organization can help keep fraudsters out of your systems.
A lesson on Business Email Compromise (see our post and podcast about this scam) can also help safeguard your business.
4. Don’t rush to pay
Fraudsters are often effective because they include a sense of urgency in their communications. They may tell an employee that an invoice is overdue and steep interest charges will apply if the bill isn’t paid immediately. Or, they may claim that an order is being held up until payment is received.
When you and your employees are aware that this type of manipulation exists, you’re more likely to pause and question an aggressive request for payment.
5. Report any scams – successful or not!
Many businesses do not report fraud attacks or attempts, particularly if losses are minimal. But as Detective Chan explains, it’s important to report scams any time you see them. “If it happens to your company,” he says, “it will also happen to the company next to you and then eventually the company next to them. But if no-one ever reports it, there are no resources [assigned to it] and no investigation.” As a result, fraudsters can operate unchecked for years.
Even if you haven’t lost a cent, it’s a good idea to contact your local law enforcement agency to notify them of an attack or an attempted attack. They keep a database and track this kind of activity, and can put the right resources in place to protect businesses against further incidents.
Detective Chan offers these tips when reporting cyber crime:
- Keep all original communication. Retaining original emails in your computer may allow law enforcement to uncover the original IP address and see where the email came from.
- Know where to call before there is an incident. Being prepared will make your response time quicker, which could help you recover faster.
The Toronto Police Cyber Crime number is 416-808-2222. If your business is outside the Toronto area, check in with your local law enforcement to understand who to contact.