In honor of Halloween, we'll begin today's blog post with a scary story.
Like all great scary stories, this story draws from actual events. Be warned: this story is not for the faint of heart. By the end, the thought of invoice fraud will genuinely haunt you (if it isn't haunting you already). The good news is, there are ways to ensure you don't end up in a real-life invoice fraud nightmare.
It's a beautiful fall day, October 31st to be exact, and you're going about your routine. Trying to approve invoices and keep your files organized when you come across something that looks a little odd.
An invoice comes in from a company you recognize, sent from an email address you're familiar with, from someone you work with regularly. What catches your attention is this — the amount is significantly larger than what it usually is, and you're pretty sure you already paid it.
You think about it for a little while and start digging through your records for proof to backup your suspicions. Eventually, you realize that you have paid the company already. But it was a separate branch and a different invoice. This invoice is for the New York office, and that branch uses different payment information. Thinking that explains everything — that this is another payment that hasn't been paid yet — you approve the invoice, file it away, and go on about your day without another thought.
And just like that, you have become a victim of invoice fraud.
Spooky, isn't it? And not just because it's Halloween.
Invoice fraud is a prevalent nightmare for controllers, CFO's and finance professionals year-round. To think that hackers and scammers can easily mimic personas employees are not only familiar with, but interact with regularly is more than a little alarming.
The risk in emails is one that most business professionals are aware of. Modern companies have annual webinars and classes on how dangerous it is to click links in emails from unknown senders. What is often missed, is that scammers have gotten craftier and can now trick you into thinking a known sender sent the email.
TechRepublic found that in the third quarter of 2020, the median number of BEC attacks received per company each week rose by 15% from the previous quarter.
Invoice fraud is a popular method for fraud because it offers the highest amount of bang for the buck. For large corporations that have hundreds of vendors and invoices, it's all too easy to slip a fake invoice (or several) into the mix and get it paid out.
Even tech giants like Google and Facebook have been taken advantage of. During the last week of March 2019, a man from Lithuania pleaded guilty to bilking over 123 million from Google and Facebook over the span of a few years. Not only is that an incredibly large sum of money, but it's also a long time for a scammer to go completely unnoticed.
A survey by KPMG determined that internal and external audits only have a 58% chance of catching fraudulent activity. What's even more concerning is that of the 58% percent of the time that fraud is detected, on average, businesses only regain 25% of their missing funds. That's essentially a 50/50 chance to recover 1/4th of what they lost. Regardless of the amount taken, those aren't great odds.
That's why businesses need to take the precautions to protect themselves from invoice fraud at all costs.
Protection starts by understanding how fraudsters get away with it. I'll give you a hint: it's a lot easier than you think.
In a typical invoice fraud, hackers take over or convincingly spoof the email address of a known business partner, like an attorney or vendor. The criminal may carefully monitor the usual interactions and payment processes between the business and the other party. Then, the criminal sends a convincing invoice or asks for a wire transfer for services rendered. Often, the business’s accounting office doesn’t realize it’s fraud and releases the funds.
In the case of Google and Facebook, the man from Lithuania forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents, and which bore false corporate stamps embossed with names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.
This demonstrates why mid to large-sized businesses need to be especially careful. Larger teams and additional invoices lead to greater margin for error and higher potential for exploitation. Especially if a fraudster attacks a business still utilizing manual processes for invoice tracking, matching, and payment processing.
Relying on manual processes for invoice tracking makes it difficult for you and your finance staff to accurately account for which payments went out and which line items the payments were associated with.
Manual payment processes make it easy for fraudsters to fabricated invoices with familiar but fake information. If the payer isn't able to quickly and accurately trace the money trail and locate past invoices and payment methods, the chance of approving fraudulent invoices drastically increases.
This is where the tools that empower you to protect your firm come in to play.
Fortunately, technological advancements in payment processing and payment automation are making it increasingly difficult for business email fraud and invoice fraud to continue to survive. As more businesses move away from manual processes and transition to payment automation solutions with bank-level security, invoice matching, permissions, access restrictions by user, and dollar amount limitations, we should see a steady decline in the amount of fraudulent activity reported by mid to large-sized companies.
Unfortunately, things are probably going to get worse before they get better, as many companies don't see a need to move away from their current payment processes. Per the FBI, business email compromise (BCE) scams are on the rise in 2020 due to the increased amount of remote working.
According to NPR, the FBI's Internet Crime & Complaint Center estimates companies were defrauded of more than $3 billion dollars in recent years and they expect the fraud industry to continue expanding.
That's good news for hackers, who plan on using Mr. Rimasauskas' success as a blueprint to target more high-profile businesses for invoice fraud. Symantec posted a blog post outlining that over 6,000 companies are targeted for BEC and invoice fraud every month.
Symantec's article went on to say that there were over 20,000 companies who filed BEC and invoice fraud complaints in 2018. If 6,000 companies a month are being targeted and 20,000 a year are victimized, that means fraudsters are at about a 28% success rate. That's not great news.
Thankfully, small and large businesses alike are starting to take notice.
Skillcast posted a very informative blog post titled "10 Ways To Protect Your Company Against Invoice Fraud". While the article is written somewhat ambiguously from a payment process perspective, it's still a fantastic read. Industry leaders in FinTech, Finance, and law enforcement are digitally working on ways to eliminate email fraud and BEC.
On average, businesses that move to a secure payment automation software see a 99% success rate for data entry and invoice matching. With enough awareness about fraud, costs saved by paper elimination and payment automation, and easier system and process integration, eventually, manual processes fade away entirely. After all, another tremendous source of fraudulent activity every year, paper checks, are expected to be obsolete for use in B2B payments by 2036.
It's important to remember that technology is always advancing. While that's a good thing for the world of FinTech, and a lot of other industries, it also means that we must keep up with these advancements in order to stay efficient and to stay safe. What happened to Google, Facebook, and countless other businesses could have been easily avoided if they simply automated their payment process through a secure software platform and followed a better approval process.
We don't rely on a simple door knob lock to keep our houses locked; we use a deadbolt. We don't use tripwire as a security measure; we have a security system. We don't walk straight onto a plane at the airport; we go through gate security. We don't even leave our phones unlocked; we use face-recognition, fingerprints, and pass-codes. Why should B2B payments and invoice approval be any different?
If you're ready to start a conversation about protecting your company from invoice fraud with our help, reach out today.
Interested in learning more? Check out these resources:
Originally published October 2019. Updated for content and quality on October 30th, 2020.