Imagine for a moment that you are sitting at your desk at work: your email pings alerting you of a new message from a supplier your company works with frequently. You open this email to read that they are switching to bank ABC. They need you to update the information in the system immediately. You do your normal checks of the email: branding, spelling, and logos all checkout. With those things in place, you update the banking information and reply that you have complied to the request. The next time an invoice comes in it is paid in a timely manner. You send the money to the updated account. Everything seems to be running smoothly, right? It is…until your company gets a call from your supplier asking why they have not received recent payments.
Now imagine the opposite side of this attack. Malicious attackers have done their research on your company. Via open source intelligence (OSINT) they have found suppliers that your company works with. They use this information to craft a phishing email that is very convincing. They receive confirmation that the bank on the account is changed to one the attackers own. Now they sit back and wait for you to pay your most recent invoice. They might even send you a specially crafted invoice of their own. This crafty example of invoice fraud is not farfetched, in fact, it is something that your company could face and not know it until it has already happened.
What is it?
Invoice fraud is when a company is tricked into switching the bank account information for a sizable payment, typically done via a phishing email. Invoice fraud is often considered a low–risk crime by fraudsters and is increasing at alarming rates, mostly due to the fact that it is often very hard to trace. Despite the increase in crime, many companies are still in the dark. According to a recent survey done in the UK, over 43% of businesses don’t even know the existence of invoice scams. The same survey reports that in 2018, $122 million was lost to invoice scams alone, with only one-third of the losses recovered.
Invoice Scam Victims
Between 2013 and 2015, a Lithuanian man orchestrated a phishing campaign where he targeted employees at two large companies, Facebook and Google. He was sending spoofed invoices from a supplier that both companies used, Taiwanese computer maker Quanta Computer. Prior to sending these invoices, the man registered a company in Latvia under the same name to make these funds requests more believable. How sophisticated were these attacks? The 50-year-old man forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and employees of Google and Facebook, and which bore false corporate stamps embossed with the company’s names.
Before being caught, the man managed to obtain $23 million from Google and $98 million from Facebook. Google has reported they were able to recover all of the lost funds. Facebook reports that they were only able to recover “most” of it.
In March 2019, the US based company Diesel Jeans filed for bankruptcy. The company cited that multiple incidents of invoice fraud, over the span of three years. This lead to the company losing $1.2 million. This contributed to the companies already mounting financial troubles.
Is Your Company Vulnerable?
A UK finance survey states that in 2018, “smaller firms were less likely to have experienced invoice fraud, about one in twenty being targeted, compared to one in four larger firms.” With those statistics, it can be said that every company has the potential to receive fraudulent invoices, no matter what their population size. This survey also states that the use of social engineering to obtain personal and financial information was a major contributor to fraud losses. Businesses today cannot just ignore this threat as the reputable and financial losses stand to be great. So, how can you shrink your target size?
Many policies can be put into place to help slow down a malicious attacker, such as:
- Any financial changes to an account need to be verified with the contact email or phone number that is on file.
- Have a multilayer approval system for any financial changes to an account.
- Check the bank statements frequently, immediately reporting anything of suspicion to your financial institution.
- Regularly evaluate what information is found about your company via the web;
Does your company list its suppliers via its website?
Do you have strict social media policies in place that prohibit employees from discussing business suppliers online?
Does your supplier list your company as one of its users?
If you are required to do so, train all employees that the vendor may disclose they do business with you, hence raising your chances of receiving fraudulent invoices.
- Use strong passwords and Multi-Factor Authentication (MFA) to make it harder for an attacker to gather information
- Implement a strong security awareness program that includes training and educating your employees on the risks and dangers of invoice fraud. BONUS TIP: If your company receives a fraudulent invoice, you can report it to the FBI’s Internet Crime Complaint Center (IC3) to help alert others of the scam.
Employees are the first line of defense when it comes to invoicing fraud. Training employees on how to recognize these threats, as well as what their actions should be if they even suspect that something may not be right, will help catch this fraud before it can do any damage. Employees should be taught how to check for spoofed addresses. They should know the reporting process if such an email is received. Training programs such as Social-Engineer, LLC’s Phishing-as-a-Service can help train your employees to recognize such attacks and protect your company. Keep your finances protected from this rising threat!