Malicious redirection: invoice fraud

In the first in a new series to increase awareness among businesses of the potential threats they face from scammers, we look into invoice fraud – including how it works, who is most at risk and how to stay safe.

How it works

Invoice fraud scams take place when fraudsters trick firms into transferring money by posing as legitimate payees in a business’s supply chain.

Criminals target businesses by posing as a regular supplier and making a request, often by email, for their bank account details to be changed. Once that’s been done, all future payments from the business are sent to an account controlled by the fraudster rather than the genuine supplier, causing financial and reputational loss for the business that’s been targeted as well as financial damage to their supplier, who remains unpaid.

Often the criminals will try to acquire extra details from businesses, such as the date when regular payments are due, to make their approach more convincing. Company and industry websites, as well as social media, are valuable tools for fraudsters to research the business they are targeting because having background information helps them to seem more legitimate.

Invoice fraud is not uncommon. Banking trade body UK Finance says such scams cost firms £92.7m in 2018 – and yet more than four in 10 businesses in the UK are unaware of the risks posed by invoice fraud. There were 3,280 invoice and mandate scams involving businesses over the year, with an average loss per case of over £28,000, according to UK Finance. Of the money lost to this type of fraud, only about a third (£29.6m) was returned to businesses.

What are the risks?

“The gangs behind this type of fraud are increasingly sophisticated and will often get hold of details that allow them to pose convincingly as regular suppliers,” says Katy Worobec, MD of economic crime at UK Finance.

“If someone contacts you asking for a supplier’s bank account details to be changed, always verify with that supplier separately on the phone or in person, using the contact details you have on file.”

Sophisticated fraudsters can make an email request look like part of an existing chain of messages by intercepting genuine correspondence and impersonating the sender – a task made even easier if the company’s network has already been breached using malware.

All companies are vulnerable to this kind of criminal attack, although low awareness among smaller firms may make them more vulnerable. UK Finance surveyed 1,500 firms across the UK and found that just 55% of sole traders were aware of the threat of invoice fraud, compared with 68% of small businesses and 84% of large businesses.

Only one in seven sole traders have taken steps to protect themselves from these kinds of scams, while around half of small businesses and two thirds of larger firms have some protective process in place.

“Procurement fraud involves a deliberate deception intended to influence any stage of the procure-to-pay life cycle in order to make a financial gain or cause a loss, including using falsified invoices,” says Damien Margetson, forensic director at KPMG.

“Organisations with large procurement budgets and/or weaker controls will be common targets. However, the lack of segregation of duties that is likely to exist in smaller companies will often provide the opportunity for fraud of any type to be perpetrated.”

Businesses typically face pressure to pay suppliers within an agreed time frame to avoid late payment, which usually means settling invoices within 30 days. This can lead some firms to rush the process and introduce less scrutiny.

How to stay safe

There are certain things companies can do to minimise the risk of invoice fraud.

Creating a corporate culture that encourages staff to question and not be afraid to challenge anomalies is also key, says Lynne Beaton, operational fraud manager at the bank.

The gangs behind this type of fraud are increasingly sophisticated and will often get hold of details that allow them to pose convincingly as regular suppliers

Katy Worobec
MD of economic crime, UK Finance

“Staff should always stop and take the time to verify any changes to bank details on a contact number they have sourced independently,” she says.

KPMG’s Global Profile Of A Fraudster study analysed 750 fraudsters worldwide, and in 62% of cases, the perpetrator colluded with others to commit the fraud. What’s more, weak internal controls in the business were a factor in 61 per cent of all fraud.

“It’s important to do due diligence when employing staff,” warns Margetson. "Individuals who have inside knowledge of a business will often be the ones to identify the opportunity and soft spots of a company’s defences and financial procedures to use for their own advantage.

“It’s also wise not to allow one person to have overall control of finance procedures and limit access to company bank accounts in order to protect a business. The repercussions for a business, particularly smaller businesses, can be devastating."

As well as customer education seminars and support materials, the bank has recently produced a short film, Think Twice, with tips on how companies can protect themselves from invoice redirection fraud and raise awareness of this type of crime. It is designed to encourage businesses to embed a culture where employees question the authenticity of a request, no matter how plausible it appears to be. Simple steps to stop, think and question can go a long way towards fighting financial crime. And in the event that a company falls victim to an invoice fraud, always report the incident to the bank and Action Fraud.

“Action Fraud, run by the City of London Police and the National Fraud Intelligence Bureau, is the UK’s national fraud reporting centre. It has a website the customer may wish to use or, alternatively, Action Fraud can be contacted by phone on 0300 123 2040,” advises Beaton. “From the outset, the customer can be fully assured that the bank will support any criminal investigation.”

It’s also timely that companies become better educated now about the risks of invoice fraud, says Margetson, because economic uncertainty can give criminals more opportunities to take advantage.

“Exactly how Brexit will impact fraud levels is yet to be seen, but disruption, change and uncertain economic conditions can increase the risk of fraud and businesses should have heightened awareness of their fraud controls,” he says.

“Businesses may respond to uncertainty by changing processes, initiating new projects and working with new suppliers: this presents a perfect ecosystem for fraud within which fraudsters will conceal, mislead and misrepresent as they exploit people’s vulnerabilities and confusion about the future. The need to maintain robust fraud controls and embed a risk management framework in change programmes for Brexit – and the need to remain vigilant and thorough during uncertainty – is critical.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top