What is invoice redirection fraud, and who is liable for the losses?
Introduction:
Understanding who bears the financial responsibility is crucial if your business accidentally pays a fraudulent invoice. In an increasingly digital world, businesses face a growing threat from cybercriminals, particularly through invoice redirection scams. These scams involve fraudsters hacking email systems or intercepting communications to send altered invoices with fraudulent banking details.
Highlighting the significance of this issue locally, the Australian Competition and Consumer Commission (ACCC) reported that Australian businesses lost over $132 million to business email compromise scams in 2019 alone.
This stark figure underscores businesses' importance in bolstering their defenses against cyber threats. In this blog, we will navigate the complexities of invoice redirection fraud, examining who is liable when such a scam occurs and offering strategies for prevention and protection.
Key takeaways
Invoice fraud entails criminals tricking businesses into sending money to fraudulent accounts instead of legitimate suppliers.
Methods of invoice fraud include phishing emails and hacking into genuine supplier email accounts.
Adopting e-invoicing is recommended to enhance transaction security and prevent invoice fraud.
What is invoice redirection fraud?
Invoice fraud is a scam where criminals trick a business into sending money to them instead of the actual supplier. Imagine you're a business that buys things from other companies, and you usually pay them by transferring money to their bank account. In this scam, the bad guys pretend to be one of your usual suppliers or someone you usually pay money to.
They might call you or send an email that looks very real, saying, "Hey, we've changed our bank account. Please send the money for your next payment to this new account." But this new account belongs to the criminals, not your actual supplier.
So, when you think you're paying for the goods or services you received, you're giving your money to thieves. This scam is particularly sneaky because everything seems legitimate, and you might not realise you've been fooled until your real supplier asks why they haven't been paid.
How does invoice redirection fraud occur?
Invoice fraud occurs primarily through two significant methods, detailed below:
In phishing scams, scammers create fake emails that look like they're from a real supplier with an almost identical email address. These emails falsely tell businesses that the supplier's bank details have changed and ask them to send payments to a new account belonging to the scammer.
The emails are very convincing, often using advanced technology to make them appear legitimate, making it hard for businesses to spot the fake. When a business is fooled into sending money to the scammer, the real supplier isn't at fault since their email system wasn't hacked. This means the business has limited ways to recover the lost money, typically through their bank or insurance, but there's no guarantee of getting the money back.
This method, also known as a business email compromise attack, involves a scenario where a supplier's email system is hacked, and a fraudster gains access to the real email accounts of the supplier. Using this access, the scammer emails the supplier's customers, making it look like they are coming straight from the supplier.
They instruct the customers to make their usual payments into a new bank account, often justified as a routine change in banking details. Trusting the request's authenticity, the customers send their payments to this new account, which belongs to the fraudster.
Due to this deceptive scheme, the payments meant for the supplier are diverted to the scammer. Consequently, when the supplier reaches out to collect the payments they are owed, they find that the money has not been received.
This situation can lead the supplier to conclude that the customer has not complied with their contractual obligations by failing to pay the correct party. In response, the supplier may seek legal recourse against the customer to recover the outstanding payments.
Who is liable to pay?
Research indicates there are various approaches to who can be held responsible when facing an invoice interception scam. Here are a few:
In many instances, the initial stance is that the customer may still be liable to pay the supplier if the latter has not received the payment, especially when goods or services have already been delivered. This perspective is grounded in the principle that the obligation to pay for received goods or services remains with the customer, provided the supplier has not been paid.
However, there's also a consideration for the supplier's role in ensuring secure transactions. They could be liable if the supplier failed to implement adequate security measures or was negligent in protecting their payment information. The argument here is that suppliers have a duty of care to secure the transaction process and protect their customers from fraud.
Legally, the person committing the fraud is, without question, liable for their actions. However, the practical recovery of funds from fraudsters is often challenging and unlikely, leaving the victim parties (supplier and customer) to address the financial loss.
Resolving the loss often involves negotiations between the supplier and the customer. Solutions include splitting the loss, with both parties agreeing to bear a portion of the financial burden, or finding other settlement terms that consider the specific details and responsibilities in the transaction process.
How does e-invoicing make invoices safer and easier?
E-invoicing is a digital way to send and receive invoices that help businesses avoid scams and makes handling invoices easier and safer. Here's how it works:
E-invoicing allows invoices to be sent and received through a secure network. This means less chance for scammers to intercept and change invoice details to steal money.
Before an e-invoice is delivered, it undergoes a verification process to confirm its authenticity and sender. This measure is taken to avoid paying fraudulent invoices crafted by scammers.
E-invoices are encrypted, turning into a code only the sender and receiver can understand. This stops unauthorised people from seeing or changing the invoice information.
Each e-invoice has a digital signature that confirms who it's from. This is like a digital stamp of approval that says the invoice is genuine and hasn't been tampered with.
E-invoicing reduces the time it takes to process invoices and reduces mistakes. This means businesses can pay and get paid faster without the errors that can happen with paper invoices.
Additional strategies to prevent invoice fraud
Here are a few steps strategies you should follow to prevent invoice fraud:
Awareness is the first defense against invoice fraud. Educate your team about the risks of invoice fraud and how it typically occurs. This includes understanding fraudsters' tactics, such as phishing emails or pretending to be suppliers. Training should be ongoing to keep up with new fraud techniques.
After raising awareness, implement strict verification processes for payment details or new invoice changes. This could involve calling the supplier directly using a verified phone number (not the one provided in the potentially fraudulent communication) to confirm changes. This step ensures that any request to change bank details or payment instructions is legitimate.
Strengthen your payment processes by requiring multiple levels of approval for payments, especially for large amounts. Use multi-factor authentication (MFA), where possible, to add an extra layer of security. This means that even if a fraudster attempts to redirect a payment, they must bypass several checkpoints, making it much harder to succeed.
Continuously update your security policies and procedures to adapt to new threats. This includes ensuring that your cybersecurity measures are robust and that your team follows the best data protection and payment processing practices.
Implement technology solutions such as firewalls, anti-virus, anti-malware, and email filtering to detect and block fraudulent activity. These tools can help prevent phishing emails from reaching your employees and detect anomalies in payment requests.
Use Security Operations Center (SOC) or Endpoint Detection and Response (EDR) solutions to monitor your network for suspicious activity. This allows you to identify and shut down potential threats before they can cause damage, including attempts at invoice fraud.
Finally, consider obtaining insurance coverage for cyber fraud and familiarise yourself with the legal steps to take if you fall victim to invoice fraud. This ensures you can recover losses more effectively and act against fraudsters.
Final note!
Although there is little formal legal authority in this area, it is clear that businesses need to protect themselves against supplier invoice fraud. This includes adopting e-invoicing for safer transactions and educating your team about fraud risks.
Additionally, diligently checking any changes in payment details is crucial. For enhanced protection, CleanSlate's professional bookkeeping services offer an effective solution.
At CleanSlate, our team of experienced bookkeepers employs the latest technologies and strategies to protect your financial transactions from invoice fraud. We meticulously manage your books and vigilantly monitor for fraudulent activities, ensuring your business's financial security.
With CleanSlate, you're not just getting bookkeeping services; you're investing in peace of mind and the financial integrity of your business. Reach out to us today to strengthen your defenses against supplier invoice fraud.
