It’s a type of fraud you might not have heard of, but it’s becoming increasingly common and you need to be aware of what might happen so you can react quickly when it does.
What is it?
Also known as known as ‘invoice hijacking’, it occurs where a criminal impersonates a supplier in order to deceive the customer into making payment of the supplier’s genuine invoice to a fraudulent third-party account instead.
There are a variety of ways that criminals can convince customers that the deceitful invoices are real. The criminal will collect information about the relationship between the supplier and customer through various means, such as:
Hacking of either the customer’s or the supplier’s email account to intercept correspondence relating to the payments due and to obtain the contact details of the person at the customer organisation who deals with making the payments.
Obtaining information via a dishonest insider within either organisation, or the insider being the criminal themselves.
Posing as a representative of the customer by using an email address very similar to that of the customer, such as by using ‘.com’ instead of ‘.co.uk’ in the email address, in order to request from the supplier a copy of any outstanding invoices and details of the supplier’s genuine account details.
Conducting research of publicly available information relating to either the customer or the supplier.
When the criminal has obtained the information, they will then pose as the supplier and direct the customer to make payment of invoices to a ‘new’, fraudulent account instead of sending the money to the supplier’s ‘old’, genuine account. The criminals typically rely on the fact that many people may not take the necessary time and precautions to assess whether the redirection is a sincere request from the supplier, as many people will simply proceed with the payment to the fraudulent account.
Often, the customer may not even be aware of the fraud until the supplier enquires about the genuine invoices not being paid. At that point, recovery of the funds becomes more difficult as the money is likely to have been transferred from the fraudulent account, perhaps even being sent abroad. Even if payment has been made by the customer in good faith to a third party, this does not release the customer from their contractual liability to still make the payment to the genuine supplier.
When a customer makes a payment as a result of a scam or invoice fraud, usually the initial step will be to contact their bank and the bank of the account holder immediately, in order for the bank to attempt to prevent the dispersal of funds. The customer should also contact the police to report the fraud.
Where it is not possible to prevent the payment with the bank, urgent recovery by civil means is vital. An urgent freezing injunction should be obtained to try to secure the money. This is a court order which will freeze the account into which the monies have been paid to prevent the dispersion of the funds. However, in many cases the funds will have been moved straight on to another account.
A disclosure order (also known as a Banker’s Trust order) should also be obtained in order to identify the criminal. This will require the bank to disclose information about the holders of the account and assist in the funds being traced.
The customer should then contact their genuine supplier to inform them of the circumstances and explain the delay in the payment being made. In practice, this can help to prevent the genuine supplier from taking legal action against the customer to recover the debt owed. It is beneficial to the customer if the supplier allows a delay, as it enables the customer to assess their options and discover the likelihood of recovering payment from the fraudulent account.
Both organisations should then investigate how the problem has arisen and how their policies could be adapted, in order to prevent a similar situation in the future.
It is essential for organisations to ensure that there are adequate processes and procedures in place to avoid invoice fraud, such as never leaving sensitive information like invoices unattended. The key to prevention is to make sure that all staff are aware of this type of scam and the organisation’s procedures. Training can help to identify and prevent invoice fraud. In particular, organisations should ensure that staff who pay supplier invoices and who have the authority to change supplier details are vigilant.
Staff should be taught how to examine every invoice received, as there may be subtle variations. Criminals are able to inconspicuously change logos, account details, telephone numbers and email addresses. Suspicious invoices should then be compared with invoices staff know are real.
Staff should be trained to always check with suppliers about any sudden changes to financial arrangement, such as a change in bank details. Where this happens, it is important to contact the supplier, preferably by telephone to a known contact. Email should not be used in case the email account has been hacked.
When making a payment, it is good practice to inform that supplier of the details of the payment made, including the name of the beneficiary bank and the last four digits of the account number to which payment was made. This allows the customer to know quickly if a payment has been made to a wrong account, so that action can be taken quickly.
The organisation should also consider what information about the business is publicly available. Some organisations, for example, may publish the phone number and email addresses of all their employees in a staff directory. The organisation should carefully consider whether it is actually necessary to publish this information and assess the risk of it falling into the hands of potential fraudsters.
Finally, it is important for organisation to ensure that their IT systems and antivirus software are sufficiently up to date. Computer systems and email accounts should be adequately secure. It may be beneficial to the organisation to regularly provide refresher training surrounding the topics of security, IT and data protection.
This case shows what can be achieved if the victim of the fraud is very quick off the mark and takes action immediately.
World Proteins, a Hungary-based company, received two legitimate invoices and several legitimate emails relating to outstanding payments from one of its suppliers. The supplier’s email account was then hacked, and several fake emails were sent to World Proteins. The hacker included a chain of authentic emails within the fake ones to add credibility to their communications.
Once they had established themselves, the hacker then claimed that the supplier had a new bank account (actually a fake one under the control of the hacker) and asked for two outstanding invoices to be paid into the fake account, in the sum of €1.5 million and €500,000 respectively. When World Proteins realised what had happened, they acted immediately, recalling the €1.5 million but they were unable to do the same for the €500,000 payment. They issued an urgent claim for the €500,000 and applied for a freezing injunction in respect of the fraudster’s bank accounts.
Through this action and the granting of a freezing order, the fraudster was ultimately identified and €350,000 of the payment was recovered.
rradarstation is a resource available through the AXA MLP where policyholders can access rradar’s legal advisory team over the phone or by email and web portal that provides over 1,000 articles, step by step guidance sheets, forms, sample letters and templates to download relating to running a commercial business.