How would your accounts payable team respond to a request from a supplier to change the bank details on an invoice?

You may feel confident they would check to verify the supplier’s identity. But what if the email appeared to come from you, as finance director, authorising the change? Would your team still follow the right processes?

Or could your organisation fall victim to one of the quickest growing areas of fraud, where criminals impersonate a senior executive to help get payments redirected to their own accounts?

Online data makes impersonation easier

Technology is making posing convincingly as a senior executive easier than it’s ever been before. Before they strike, organised criminal groups are carrying out extensive online research, ‘scraping’ publicly available data from the internet and social media to create a targeting pack. There is nothing new in this as an approach, but cheap and readily available tools are making it easier for criminals to do this at scale and with minimum investment of time or effort. This means they can launch an increasing number of attempts against an increasing number of targets that are much more convincing.  

This sort of research may reveal, for example, when the finance director is travelling, which criminals can exploit to make an unusual request to push through a payment before they land seem more plausible. Online research may also provide details of the relationship between an organisation and its suppliers – such as when payments are due – making it easier for fraudsters to masquerade as a bona fide supplier.

Coming soon to your organisation

All this has seen invoice fraud become one of the fastest-growing areas of cyber-enabled crime. In 2018, UK businesses lost almost £93 million to invoice fraud¹. Our own experience is that many of the organisations we work with have been targeted over the past year, including one that has lost several million directly.

Even if you are not a direct target, this type of fraud can also have a real impact if it occurs in your supply chain. We have seen businesses experience major cashflow issues because customers who have fallen foul of this fraud either then have insufficient capital to pay the real invoice that is still due, or payments are severely delayed while insurance claims are processed and blame attributed.

There are five actions you can take to reduce the risk of invoice fraud:

Minimise open information online

Having too much information about yourself publicly available online makes you an easy target. Review what you share online and remove anything that’s not necessary – do you really need individual contact details for senior staff for example or could you use a reduced number of contact points? The same goes for organisational data.

Secure access your corporate email

Implementing multi-factor authentication on your corporate email can be easier than you think, especially if you are migrating to Office365 and equivalents. This can dramatically reduce the chance of an attacker logging into your system remotely using stolen credentials to enable this sort of fraud. Our cyber team can currently access over 38 billion username/password pairs that are for sale by cyber criminals. When did you last update yours?

Few people would trust an online bank account now that did not have multi-factor authentication (eg password and access number generated on a phone app). If we protect our personal money in this way, why not our corporate accounts?

Make staff aware

Staff need to be aware of the danger of invoice fraud and clear about their responsibility to follow internal processes to verify any requested changes to an invoice with the supplier. Just as importantly, they need to be confident they will not get in trouble for following this process. This means contacting the supplier using their on-file details – not a link in an email or new phone number.

Even when no change to an invoice is requested, it is good practice to:

• check for irregularities, such as changes to supplier name and addresses, and invoiced amounts
• inform suppliers each time a payment is made (including details of the account the payment has been made to) and seek verification this has been received.

Ensure appropriate technical controls are in place

There are a range of technical controls that can help complement staff vigilance and increase protection. The most effective include the correct configuration of:

• Sender Policy Framework (SPF) – to detect forged sender addresses in emails
• DomainKeys Identified Mail (DKIM) – to check that an email claiming to have come from a specific domain was authorised by the domain owner
• Domain-based Message Authentication, Reporting & Conformance (DMARC) – gives email domain owners the ability to protect their domain from unauthorised use.

Does your organisation have these controls in place so staff and clients alike can verify that emails purporting to be from you are genuine? Do your regular suppliers have these in place to minimise the risk of an external attacker impersonating them?

Monitor your supply chain

How do you monitor suppliers coming into your network? Even if you think your supply chain and systems are secure, cyber criminals might spot an opportunity to attack you through third parties. Top tips for managing your supply chain risk include:

• calling a supplier directly to confirm details of payments before they are made (including details of the account the payment has been made to)
• use unique identifiers such as PO numbers
• ensuring you have appropriate Know Your Supplier controls in place to verify contact details for those suppliers
• conducting regular reviews of invoices paid and supplier details over time.

No business is immune and invoice fraud is an increasingly popular crime. Cyber security doesn’t need to be masked in jargon or require investment in expensive, complex solutions to reduce your risk of exposure. Our cyber health check can help you start your journey to understand your current state, detect threats and implement robust defences.

References

1. £93m lost to invoice scams in 2018, says Finance UK, Accountancy Today, 2019