Business Email Compromise – Invoice Fraud

The transformation of the workforce from on premises to remote, hybrid and a vast array of arrangements accelerated in the past two to three years. Even today as millions return to on premises jobs, many business communications and operations occur electronically. This explosion of digital communications brings with it another explosion: business email compromise. In this installment of articles detailing the increase in BEC we’ll talk about invoice fraud and how to protect your interests against it.

According to a Mimecast report, 2022 State of Email Security, using data commissioned from the research firm Vanson Bourne^[1]Mimecast commissioned research firm Vanson Bourne to conduct a global survey of 1,400 information technology and cybersecurity professionals from 12 countries. Participants were surveyed between … Continue reading, 2021 was the worst year on record for cybersecurity. Just as COVID continues, two years later, to mutate so too do the “viruses” attacking business communications.

The report states that data breaches due, at least in part, to phishing accounted for 36% of attacks against businesses. Ransomware was unleashed resulting in the average ransomware payment of $570,000 in the first half of 2021, up from $312,000 in 2020. The average data breach cost $4.24M. Threat actors saw the vulnerabilities and made the most of those opportunities.

While business email compromise takes many forms, one threatens a significant number of companies: Invoice Fraud. The FBI Internet Crime Center’s Annual Report for 2020 states business email compromise schemes continued to be the costliest with 19,369 filed complaints at an adjusted loss of approximately $1.8B. Many of these attacks took the form of Invoice Fraud.

In a typical invoice fraud, the hacker will establish a “man-in-the-middle” position to monitor the usual transactions and payment processes between the target and other parties. The attacker then sends a convincing “spoofed” invoice or asks for a wire transfer for services rendered. Often, an accounting office doesn’t realize the request or invoice is fraudulent and releases the funds. These “spoofed” invoices and impersonator emails contain subtle but noticeable errors like blurred or off-color logos, miniscule changes to an email address, or spelling errors.

Mid- to large-sized businesses are at particular risk due to large teams and higher volume of invoices. In addition, not all companies acknowledge the need to build cyber resilience. This cyber resilience can be defined by how well the company identifies and prevents threats and how quickly it can recover from those that get through protections.

The Skillcast July 2020 blog “10 Ways to Protect Your Company Against Invoice Fraud” provides simple but effective manual means to prevent invoice fraud.

• Establish at least two designated contacts with all regular suppliers.
• Always check any change of bank account or payment arrangements directly with the supplier.
• Don’t be pressured – into processing payment without diligent checking. Threat actors often try to insert urgency into the request betting that accounting staff will forego protective measures though they know better. Take the pressure off the situation by taking control of it.
• Scrutinize all invoices you receive – fraudulent communications contain subtle but noticeable differences such as misspellings, logos that are blurred or slightly different in color. Fraudulent invoices may also include bank details when valid invoices did not. Slight changes in email addresses or a new signatory can also suggest fraud.
• For substantial payments, insist on meeting or talking to your contact first, not the contact named in the questionable communication.
• Always send confirmation of payment made to your supplier so that it is credited to the correct account.
• Think twice before publishing details of your suppliers online.
• Maintain confidentiality by never leaving invoices unattended or in public view.
• Consider other measures to help protect your financial dealings.
• Reconcile accounts regularly so that inaccuracies are detected more quickly.

In addition to these manual protections, it is also wise to integrate a system of checks throughout the accounting department to ensure that legitimate invoices get paid and illegitimate invoices trigger alerts. We also recommend incorporating a robust email protection solution to help protect against such cyber threats.

As dependence upon digital commerce grows, so too does invoice fraud. Contact us today to learn more about available tools to protect your company’s valuable assets.