Small and medium-sized enterprises (SMEs) can be particularly vulnerable to fraud due to harsh economic conditions and limited resources. In addition, many SMEs may not have a dedicated IT or cybersecurity team, leading to little awareness about the risks associated with invoice fraud attacks.
However, many owners and managers may be unaware of the risks their businesses face when dealing with payments and invoices for suppliers.
Here are some examples of how supplier invoice fraud could occur in your business:
Vendor Identity Theft: Attackers may target SMEs by stealing the identity of their genuine vendors. They gather information about the vendor, including logos, contact details, and billing patterns, and then create fraudulent invoices that closely resemble legitimate ones.
Invoice redirection: These attacks involve attackers intercepting legitimate invoices and modifying the payment details to direct funds to their fraudulent accounts, causing businesses to pay the attackers instead of the intended recipients unknowingly.
Business Email Compromise (BEC): BEC attacks involve attackers gaining unauthorised access to an employee's email account or impersonating a high-level executive within the organisation. The attacker then emails the finance department or relevant personnel, instructing them to make urgent payments to a fraudulent account.
Invoice Phishing: In this type of attack, attackers send phishing emails to SMEs, masquerading as legitimate organisations or service providers. These emails contain malicious attachments or links that, when clicked, can lead to the installation of malware or the capture of sensitive information. The attacker may use the obtained information to create fraudulent invoices or carry out further attacks.
Fake Invoice Scams: In this attack, attackers send fraudulent invoices to targeted SMEs, posing as legitimate vendors or suppliers. The invoices typically contain altered or falsified payment details. The goal is to deceive the SME into paying the fraudster's account.
In many cases, the fraud is usually only uncovered when a genuine supplier chases for non-payment.
Here are some tips to help reduce the risk of supply chain invoice fraud and keep your business safe:
Process invoices promptly - to reduce the risk of fraud going undetected for a lengthy period. This allows you to identify any business request or transaction that appears suspicious, out of the ordinary, and maybe fraudulent.
Use a three-way matching process - match the purchase invoice to the purchase order and order receipt. This will help to reduce the risk of processing fake invoices.
Single point of contact - for suppliers where regular payments are made. This person should be contacted to discuss any suspicious invoices.
Check every invoice - accounts payable should pay particular attention to supplier names, company logos, invoice numbers, contact information, invoice amount, account numbers, and bank details to identify fake invoices.
Confirm bank account details - Adopt a multi-step process to validate the request to change supplier details. This may consist of an email confirmation from a single point of contact for the supplier in question and a telephone call to the supplier's landline.
Check supplier statements - regular reconciliations against supplier invoices received and payments made can assist in identifying any irregularities.
Verify supplier email addresses - sometimes fraudsters can create an email almost identical to the original email held by the supplier, which can go unnoticed.
Conduct due diligence - check the supplier details you have on file, trading name, address, email address, and telephone number, and conduct online searches.
Set a threshold - where payments above this level will mean setting up a meeting with the supplier to confirm any account detail changes. Dual authorisation could be implemented for transactions above a specific limit.
Steps to Take When Discovering You Have Been a Victim of Fraud
Inform the victim supplier - Any suspicious correspondence should be reported to the genuine supplier and will allow them to put protective measures in place.
Recall the funds - If the money has been transferred to the fraudster, ask the bank to attempt to recall the funds. If banks suspect criminal funds in accounts, they can freeze them and place them into a separate holding account.
Always report fraud and get help - If you suspect, you may have been scammed or involved in cyber fraud or have information about a possible fraudster, contact Action Fraud. Even if you have not suffered any financial loss, this will enable the Police to analyse trends and prevent fraudsters from exploiting other businesses.
Ensuring employees receive ongoing security awareness training in identifying scams, particularly those in accounts payable, is essential. The consequences of falling for this type of fraud can inevitably result in redundancies and the closure of businesses.
By adopting robust internal controls and processes along with effective accounting practices, businesses can go a long way towards combating the threat of supplier invoice fraud. Companies should foster a culture of fraud awareness within their workplace to reduce the associated risks.
Ready to prepare your staff with security awareness training? Contact us today to learn more.
Further support for Accountants
For further information regarding the help and support we can offer your accountancy firm (including fully-funded support), you can view our dedicated support page for accountants.
Comments