Business email compromise scams are on the rise. According to the FBI’s annual Internet Crime Safety Report, there were more than 23,000 BEC incidents reported to the FBI in 2019, totaling losses of $1.7 billion. That’s a one-year increase of 16% and 30% respectively.
What’s worse, says the FBI, is that these schemes, in which a legitimate business email account is compromised through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds, are becoming more sophisticated, as well.
You may have been savvy enough to spot that phishing email from your “CEO” who needed you to drop everything and run out and buy $1500 worth of gift cards. She spelled her own name wrong, after all. Now scammers are targeting invoices, either tampering with valid invoices and changing the mailing address, or just sending out their own idea of a fake invoice hoping companies won’t notice. Frequently, these will be for office supplies, printer toner, cleaning products, membership dues or directory listings—ordinary things that many companies purchase every day.
Cybersecurity experts warn that fraudsters frequently will test the waters with a low dollar amount request. If it the payment goes through, they know they’ve found a company that isn’t paying enough attention to their accounts payable.
One of our accounting clients almost fell victim to invoice fraud, but XMI was able to thwart this scam through the power of big data. A client received an invoice that looked legitimate, it was entered into our accounts payable portal (Bill.com), it was approved by our client’s designated senior executive, and it was ready to be processed for payment.
But, behind the scenes, Bill.com’s automated data analysis program was mining data and spotted a disturbing trend—the same vendor, the same invoice number and the same dollar amount were submitted repeatedly, and not just to the same company. We received an alert and were able to confirm with the client and stop the payment before it went through.
While big data was the hero in this scenario, there are several steps you and your staff also can take to protect your company from invoice fraud:
Watch for red flags
Scrutinize the invoice. These and other red flags can tune you into invoice fraud.
Is the logo blurry? Does the account number match? Is the address and contact info the same? Look again—are they really the same? Scammers are counting on someone glancing at invoices to spot major changes; that’s why they’re in the business of making their changes more subtle. Also, if something changed, why is the invoice the first place you’re finding out about it? A reputable vendor would alert you to a change in some other way.
Avoiding invoice fraud—and all types of BEC scams—takes equal parts common sense, cybersecurity savvy and attention to detail. Raise awareness of the potential for invoice fraud by sharing this article with employees. Educate them on cybersecurity basics by holding regular employee phishing training. Also regularly remind employees, especially those involved in your accounts payable process, to pay attention to details when approving and processing invoices.
Set up the right controls
With the proper processes and protocols in place, most companies should be able to detect fraudulent invoices before it’s too late. The gold standard in accounts payable is the three-way match—before any invoice is paid, it’s compared to both the original purchase order and receipt or receiving report. Details like quantities, price per unit and terms ensure you got what you paid for, but you can also use this important step in the process to check for account numbers, contact information and mailing address to help ensure the invoice is valid. Dealing with invoices quickly, instead of letting them accumulate, can also help you detect issues more easily. If a discrepancy is found, verify the information with the vendor.
While scammers work hard every day to steal your money, staying vigilant and putting in the proper protocols can help guard your organization against invoice fraud and other duplicitous schemes.