Trick or Treat: Frightening Facts About Invoice Fraud & How to Protect Yourself
In honor of Halloween, we'll begin today's blog post with a scary story.
Like all great scary stories, this story is based on real events. Be warned: this story is not for the faint of heart. By the end, the thought of invoice fraud will genuinely haunt you (if it isn't haunting you already). The good news is, there are ways to ensure you don't end up in a real-life invoice fraud nightmare.
Frightening Facts About Invoice Fraud & 10 Ways To Protect Yourself
It's and beautiful fall day on October 31st, and you're going about your routine trying to approve invoices and keep your files organized when you come across something that looks a little odd. An invoice comes in from a company you recognize, sent from an email address you're familiar with, from someone you work with regularly. Strangely, the amount is significantly larger than what it usually is and you're pretty sure you already paid it. You think about it for a little while and start digging through your records when you realize that you paid the company already, but it was a separate branch and a different invoice. This invoice is for the New York office, and that branch uses different payment information. Thinking that it all makes sense, you approve the invoice, file it away, and go on about your day without giving it a second thought.
And just like that, you have become a victim of invoice fraud.
Spooky, isn't it? And not just because it's Halloween. Invoice fraud is a prevalent nightmare for Controllers, CFO's and finance professionals year-round. To think that hackers and scammers can easily mimic personas employees are not only familiar with, but interact with regularly is more than a little alarming. A few years ago, if a study came out outlining that businesses were going to lose over 12 billion dollars in email and invoice fraud in a short span of 5 years, few would have taken it seriously. Unfortunately, that's precisely what happened. A recent article by CNBC states that according to the FBI, the amount of money that scammers attempted to steal through business e-mail compromise grew 136% between December 2016 and May 2018. Overall, e-mail scammers targeted more than $12 billion worldwide between October 2013 and May 2018.
If that isn't scary enough, it's not just small and medium-sized businesses that scammers are after. Even tech giants like Google and Facebook have been taken advantage of. During the last week of March 2019, a man from Lithuania plead guilty to bilking over 123 million from Google and Facebook over the span of a few years. Not only is that an incredibly large sum of money, but it's also a very long time for a scammer to go completely unnoticed. In a recent survey by KPMG, it was determined that internal and external audits only have a 58% chance of catching fraudulent activity. What's even more concerning is that of the 58% percent of the time that fraud is detected, on average, businesses only regain 25% of their missing funds. That's essentially a 50/50 chance to recover 1/4th of what was lost. Regardless of the amount taken, those aren't great odds. That's why businesses need to take the necessary precautions to protect themselves from invoice fraud at all costs.
Protection starts by understanding how fraudsters get away with it. I'll give you a hint: it's a lot easier than you think.
In a typical invoice fraud, hackers take over or convincingly spoof the email address of a known business partner, like an attorney or vendor. The criminal may carefully monitor the usual interactions and payment processes between the business and the other party. Then, the criminal sends a convincing invoice or asks for a wire transfer for services rendered. Often, the business’s accounting office doesn’t realize it’s fraud and releases the funds. In the case of Google and Facebook, the man from Lithuania forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of [Google and Facebook], and which bore false corporate stamps embossed with [their] names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.
This case study explains why mid-large sized businesses need to be especially careful. Larger teams and additional invoices lead to greater margin for error and higher potential for exploitation. Especially if a fraudster attacks a business still utilizing manual processes for invoice tracking, matching, and payment processing. By relying on manual processes for invoice tracking, it can be difficult to accurately account for which payments went out and which line items the payments were associated with. Manual payment processes make it easy for fraudsters to fabricated invoices with familiar but FAKE information. If the payer isn't able to quickly and accurately trace the money trail and locate past invoices and payment methods, the chance of approving fraudulent invoices drastically increases.
Fortunately, technological advancements in payment processing and payment automation are making it increasingly difficult for business email fraud and invoice fraud to continue to survive. As more businesses move away from manual processes and transition to payment automation solutions with bank-level security, invoice matching, permissions, access restrictions by user, and dollar amount limitations, we should see a steady decline in the amount of fraudulent activity reported by mid-large sized companies.
Unfortunately, things are probably going to get worse before they get better, as many companies don't see a need to move away from their current payment processes. The FBI's Internet Crime & Complaint Center issued an advisory in June stating that this type of fraud, called a Business Email Compromise, is up by 1,300 percent since January 2015. The FBI estimates companies have been defrauded of more than $3 billion dollars in recent years and the fraud industry is expected to expand in 2020. That's good news for hackers, who plan on using Mr. Rimasauskas' success as a blueprint to target more high profile businesses for invoice fraud. Symantec posted a blog post outlining that over 6,000 companies are targeted for BEC and invoice fraud every month. Symantec's article went on to say that there were over 20,000 companies who filed BEC and invoice fraud complaints in 2018. If 6,000 companies a month are being targeted and 20,000 a year are victimized, that means fraudsters are at about a 28% success rate. That's not great news.
Thankfully, small and large businesses alike are starting to take notice. Skillcast posted a very informative blog post titled 10 Ways To Protect Your Company Against Invoice Fraud. While the article is written somewhat ambiguously from a payment process perspective, it's still a fantastic read. More importantly, industry leaders in FinTech, Finance, and law enforcement are digitally working on ways to eliminate email fraud and BEC. On average, businesses that move to a secure payment automation software see a 99% success rate for data entry and invoice matching. With enough awareness about fraud, costs saved by paper elimination and payment automation, and easier system and process integration, eventually, manual processes fade away entirely. After all, another huge source of fraudulent activity every year, paper checks, are expected to be obsolete for use in B2B payments by 2036.
It's important to remember that technology is always advancing. While that's a good thing for the world of FinTech and a lot of other industries, it also means that we must keep up with these advancements in order to stay efficient and to stay safe. What happened to Google, Facebook, and countless other businesses could have been easily avoided if they simply automated their payment process through a secure software platform and followed a better approval process.
We don't rely on a simple door knob lock to keep our houses locked; we use a deadbolt. We don't use tripwire as a security measure; we have a security system. We don't walk straight onto a plane at the airport; we go through gate security. We don't even leave our phones unlocked; we use face-recognition, fingerprints, and pass-codes. Why should B2B payments and invoice approval be any different?