How to Stop Invoice Fraudsters from Poking Holes in Your Bottom Line
Modern digital scammers leverage social engineering on their victims, using scare tactics, panic, and exploiting laziness to steal and defraud.
Invoice fraud is when bad actors getting a company to fulfill inauthentic invoices by masquerading as a legitimate business partner or contractor. It gets approached by different fraudsters with different means, and at different scales. Regardless of how the fraudster makes inroads into a company’s infrastructure, invoice scammers all assume that their crime will be facilitated by simply getting lost in the constant stream of legitimate business invoices, at least for long enough to make their digital getaway.
As with many scammers who rely on social engineering to build momentum to their criminal goal, the first line of defense is keeping your workforce educated on pervasive threats. This extends into what technology can be leveraged against these fraudsters, and how that technology should be employed.
Invoice fraud is as versatile as it is damaging to your ROI, so finding and precluding it may involve shining flashlights in corners that usually go ignored in your organization.
What is invoice fraud?
Any time a bad actor manipulates or falsifies information on an invoice to siphon funds away from a company, it is considered invoice fraud. Usually, the bad actor does not actually have a working relationship with the company – though they can – and usually they have not actually delivered any goods or services to the company.
Inside of this, there are many different methods to defraud a company via a manipulated invoice. By looking at the pieces in play – the invoice, the fraudster, the company, the legitimate contactor – we can begin to understand how many opportunities invoice fraud presents to bad actors. Between these parties, a fraudster could:
- Pose as the legitimate contractor, taking their payment for themselves.
- Intercept and manipulate the invoice, changing bank details to route money elsewhere.
- Set up an entire fake company that then requests invoices be filled for services never rendered.
- Pose as someone internal to the company, requesting existing payment setups to be changed or re-routed.
- Intercept and physically alter both invoices and checks to effectively steal the hard currency.
It is important to keep in mind that fraud is an inherently creative space that will seek new weaknesses when old ones are patched. On the journey to security through awareness, we will discuss some of the most common invoice scams plaguing the digital economy today, but it is also important to keep in mind that the above permutations are potentially only the tip of the iceberg.
Common forms of invoice fraud
Invoice fraudsters will consistently be intending to fly under security radar, hiding their ill-intentioned paperwork in stacks of legitimate invoices. They will rely on efficiency-driven finance teams to hide in plain sight, getting their illicit payment signed off on quickly, without raising any alarms. At this stage, getting to know some of the common subtleties is crucial if manual review teams want to curb this kind of fraud.
Companies that do not have strong processes in place to vet potential partners, even for work as on-the-ground as maintenance or office supply, will find themselves falling victim to invoice scams from illegitimate vendors the most.
When the door is left open in this way – by having a low-scrutiny or automated partner onboarding process – one of the most common forms of fraud is to find that your company has been paying small, incremental invoices out to a company that doesn’t seem to actually fulfill anything.
The perpetrator in these cases is relying on their invoices being too small to call much attention, or even that there is automation in place that is designed to auto-approve invoices that are below a certain threshold. Though an individual payment might not mean much to your bottom line, if your invoice payouts are numerous enough to require efficient processes, you might discover a false vendor that you’ve been paying for months or even years of small but malicious claims.
Spoofed payment documents
If the email address of someone on a finance team gets compromised, or even if an unauthorized person is able to take a picture of an open invoice document, that company is already in danger of fulfilling spoofed invoices to malicious actors.
Once a legitimate invoice is acquired by a bad actor, making subtle changes to the payment information, like addresses, routing numbers, remittance data, or email addresses is trivial with photoshopping tech, or even factory-installed photo editing software on phones.
The likelihood that a manual review by a finance team will notice the subtle differences in this payment data is low – a key point for the fraudsters. Note that the fraudster could be an internal member of staff themselves, routing altered or just fictional payments to a third party from the inside.
In 2019, a Lithuanian man was charged with defrauding Meta (then Facebook) and Google of over $100 million dollars. The 50-year-old perpetrator achieved this by simply opening a Lithuania-based company under the same name as a legitimate Taiwanese tech manufacturer, then spoofing, forging, and reappropriating official letterheads and payment information to claim payments that were meant for that company.
The realities of international business, with teams distributed globally, creates opportunities like this for fraudsters. Confusion and laziness are key for the successful social engineering fraudster. Again, having ground-level due diligence practices when it comes to vetting potential business clients is crucial to shore up security.
How impactful is invoice fraud? Should you be worried?
According to a recent survey of 2,750 businesses, Forbes estimates that every company loses an average of $280,000 per year to invoice fraud. This number is inclusive of the full range of businesses in terms of size and scale, as well as the 25% of businesses that reported no ability to measure how much they might have lost to invoice fraud. This means that the actual amount of average loss might be much higher, and there are no special dispensations for those SMBs whose bottom lines can’t afford to take a $300k hit by comparison to an enterprise company.
This figure does not represent a foregone conclusion, however. Outside of staff awareness, there are data-driven ways to mitigate the negative impact that the inevitable invoice fraudsters will have on your ROI, by performing more comprehensive reviews of submitted partner data than a human can.
Leveraging software to find needles in haystacks
Invoice fraudsters will essentially be sneaking into your digital office, sliding a falsified invoice into your “to-do” pile, then quietly assuming it will be fulfilled, lost in the assembly line of other legit invoices. This assumption of the fraudsters is based on the natural tendency for finance teams reviewing invoices to assume there is no malfeasance occurring. Indeed, even if those same finance teams were fully alert to the possibility of invoice fraud, the minutia of the changed payment details might escape their notice.
This is where software solutions can fill cognitive gaps that are large enough for a fraudster to slip through, but would almost certainly go unnoticed by a human manual reviewer.
Detecting false vendors
When onboarding potential business partners, be they marketing affiliates or an in-house plumbing contractor, a false vendor whose true intention is to defraud the company could be detected by leveraging a risk-based fraud solution. This way, decidedly fraudulent attributes of the contractor could be detected in ways that a human mind couldn’t reasonably be asked to. The data points that could be usefully scrutinized include:
- Reverse phone lookups can quickly reveal the online persona of a potential business partner. This includes the location of the phone number – does it correspond to other submitted data? Is it otherwise unusual? – and any associated messenger apps or social media profiles – does this person’s social media presence align with who they say they are?
- Reverse email lookups can be similarly revealing, letting finance teams check to see if an email address is associated with online registrations that indicate a real, verifiable human presence, as opposed to an account recently opened to commit fraud. This is done through revealing the approximate age of an address, and potentially reveals a more comprehensive list of associated apps and website than a phone number. This may also result in photos of the applicant, allowing manual teams to double-check invoices with a quick video call.
For instances of invoice fraud that do a better job of hiding themselves, as with false vendors who rely on incremental charges over time to make their illicit profits, software can also help detect those fraudsters adept at flying in the trenches, undetected.
Detecting ongoing invoice scammers
Some security software stacks offer velocity checks that can be adjusted to scrutinize payment (and outgoing payment) patterns. Machine learning baked into these stacks can be integrated into automated invoice payment processes, then tuned to look for patterns that match the methods of invoice fraudsters. The ML algorithms will be even better at this if instances of invoice fraud have already been discovered in the system and can thereafter be used to model the security around. These can help by:
- Pointing out patterns of suspiciously low invoices.
- Alerting you to unexpected changes in payment information when a legit account turns fraudulent.
- Pausing automated payments that follow patterns established to be fraudulent in terms of frequency or amount.
A simple checklist to fight invoice fraud
Though each company’s security best practices will be different, a general common-sense fraud-fighting guideline is a good step in the direction towards becoming invoice scam-free. Though it seems initially exhausting to perform this kind of checklist for every invoice payout, the moment when your finance team’s back is turned – that is, they don’t use such a list – are the moments the fraudsters are waiting for.
- When a legacy contractor changes their payment details via email or DM, corroborate the change over the phone or video chat.
- Be mindful of suspicious changes made over the phone. Is a suspiciously short time frame a factor? Is undue pressure being leveraged? If so, call back the apparent partner at an established phone number.
- Consider safeguarding or not publishing your partner identifying information, to make it harder for fraudsters to pose as them.
- Take the time to compare invoices, or switch to a digital invoice solution that can compare minute details automatically.
- Establish single points of contact when possible.
- Keep open lines of communication between finance and fraud teams.
- Make sure staff are educated about best security practices, including good password management and not working on sensitive financial documents in public spaces.
Evolving alongside invoice fraudsters
Sadly, the tide of invoice fraud is constant and not fun to surf. There is not a single holistic solution to the problem, as neither education nor technology can guarantee a 0% invoice fraud rate. Even if a seawall is erected around the shores of your company, it will take time to find the inevitable leaks, and when they’re filled, new ones will spring forth, leaking revenue.
The reality of this means that even SMBs cannot afford to neglect their due diligence when onboarding business associates and contractors. Keeping the existence of invoice fraudsters at the back of your finance team’s mind is important, as is a software solution that can augment their due diligence abilities, but the real danger is complacency. No matter how well equipped your finance people are, fighting invoice fraud is an inherently reactive space, so a team that stays on its toes – rather than rests on its laurels – will always be safer and more profitable.
At SEON, we strive to help online businesses reduce the cost, time, and challenges faced due to fraud. Whether you are a global financial leader or a small eCommerce startup, our solution simplifies fraud management so you can focus on what matters: growing and scaling your company.
There are no related Events
There are no related Presentations
There are no related Surveys
There are no related Webinars
At SEON Technologies we have released new information on the collection countries that are most and least at risk of cyberattacks. We have also taken a close look at the most common types of cybercrime occurring in the US.
Dubbed the Global Cybercrime Report, the report explains how several countries are the safest in the world from fraud and other cybercrime. and why others are not. Our methodology for this research was based on how companies and public infrastructure are all being fairly well protected through both legislation and technology at their disposal.