Another day, another full inbox. You quickly browse through your e-mails, spending a few seconds on each subject: newsletter, advertising, spam, spam, advertising… oh, this one is an invoice. The sender seems legitimate, a long-time supplier, but the invoice looks overdue. You diligently forward it to the financial department, with a quick note: Make the payment today, please! What you think you’ve done is help your colleagues pay a late invoice. What you’ve actually done is help your company get defrauded. Unfortunately, you are not alone…
More and more companies are being defrauded through Business E-Mail Compromise (BEC) frauds. In fact, a recent UK survey showed that the country lost no less than £93 m to invoice fraud in 2018, but only 4 out of 10 ten companies were aware of the issue. Things are no better in the rest of Europe, with a report on payment fraud showing that invoice fraud is on the rise.
In fact, some countries, such as Belgium, put entire programs in place trying to convince small businesses to adopt electronic invoices (in accordance with the new EU legislation), in order to prevent invoice fraud.
But what exactly is invoice fraud and how can it affect your company?
While malicious files and phishing attacks have been around since the beginning of the Internet, financial documents made things a bit more complicated. Invoices don’t just carry information, but also monetary value, which makes them a prime target for scams like:
Executive Fraud: Using a fake e-mail address or a compromised one, cybercriminals pose as the CEO or the CFO of the company and request money from the financial department. This technique can target all types of organizations, and last year a group of hackers targeted no less than 35,000 CFOs with such a scam.
Supplier E-Mail Interception: The attacker has access to either the supplier’s e-mail domain or to a very similar one. He requests a payment with an invoice that’s highly similar to what a buyer might expect to see or, in some cases, he simply requests changing the payment details on one. This is also a very common tactic (affecting huge companies as well as SMEs), since many small suppliers don’t use secure e-mail channels and these e-mail messages don’t always feature suspicious attachments.
Buyer E-Mail Interception: The attacker has access to an internal e-mail address (either by hacking or by social engineering) and intercepts a legitimate invoice from a supplier. Afterwards, the cybercriminal replaces the invoice details with the attacker’s payment details and sends it to the buyer’s financial department to request a payment, often using the same hacked address and what looks like a legitimate invoice. If the number of invoices a company sends is very high, such attacks can go unnoticed for months.
Invoice Approval Hacking: Many companies that use e-mail invoices have some sort of approval and payment process in place. These processes are at their most vulnerable when the payment is finally made. Scams that exploit this are also called “Payment Notification Scams” as the messages sent by the attackers confirm fictional or real goods deliveries and request instant payment. Some of the more complex ones even promise discount for early payments.
Aside from these widely encountered techniques, attackers might try to impersonate attorneys, accounting companies, and auditors or simply plant malicious files (disguised as invoice files). Even if their attacks do not succeed, intercepting an invoice can offer cybercriminals a lot of financially important data about a company. And this is one reason why so many of them choose e-mail as a prime target. The other is that e-mail fraud has minimal or no costs for the attacker.
So, what can you do to prevent it?
- Use E-mail as Little as Possible to send invoices and rely on more secure transfer methods.
- Check Supplier Credentials before authorizing any sort of payment.
- Use an Electronic Catalog to make sure prices on the invoices are the prices you agreed upon.
- Use 3-Way Matching to match each invoice to a purchase order (PO) and goods receipt. This makes it easy to identify real invoices and hard to counterfeit them.
- Make Use of Reporting and compare a certain period with other, similar, periods from the past. You will immediately notice suspicious invoice volumes or values.
- Establish Business Rules and, based on them, check for certain details (like product codes) of an invoice and check them in your ERP.
- Check for Duplicates, or for highly similar invoices sent over a short period of time (invoice duplicating is highly favored by attackers).
- Set Approval Flows and Status Messages to know at each moment what the status of the invoice is.
- Speed Up the Approval Process, in order to prevent invoice stacking (the more invoices you have to approve and pay, the less attentive you will be).
- Ask for Confirmation, when not sure about the person who authorized a payment.
- Use Payment Reconciliation to see what was invoiced and what was paid each month.
- Secure the human factor by holding compliance and security trainings, and teach your employees to better handle electronic documents.
- Minimize human work by using automation as much as possible for your repetitive processes.
- Use trusted cybersecurity techniques and platforms. Constantly check your domains for blacklisting using paid or free tools such as MX Lookup.
How can electronic invoicing help?
Automating your electronic invoicing system and, even more, your AP and O2C processes can save you a lot of time and worries. By sending and receiving invoices and attached documents through an automated system you will not only eliminate manual work. You will also significantly speed up approval processes and gain full control and visibility into your transactions.
Automation systems such as our DocXchange platform can easily implement business rules and n-way matching, as well as customized approval flows. Not only that, but by pairing them with a solution such as DxCatalog (master data harmonization) and DxArchive (a secure and compliant archive) you will secure the entire document processing chain, not just the invoicing process. Error checking will also be a part of the deal, so, aside from fraud, negligence will also be eliminated from your AP process.
And the best part? Your Inbox will never be involved in the process! Our solutions can integrate directly with your existing ERP or offer you a secure web-form in which to process your documents. So, why not give our consultants a call?