Invoice fraud


Oh S**T! I've paid the wrong person!

It is called 'Invoice fraud' or 'CEO fraud': sneaky and clever cyberattacks with fake emails that look just like the real thing. 

The holiday season and Friday afternoons are an obvious time for this kind of attack in your mailbox.

There has been cases of high-ranking employees falling for the scam and transferring very large amounts, in some cases amounts well over $100,000. Such a transfer lands directly in the fraudsters’ bank account from where it instantly disappears.

Security agencies have been busy warning companies — and especially those which trade internationally — about cybercrime. However, despite all warnings, more and more companies, large and small, fall into the invoice fraud trap. The criminals plan carefully and have developed a method where they can cheat companies out of large amounts of money without being caught.

How do they do it?

Let’s take a closer look at the methods. For example, let’s say the fraudsters have decided to attack a company called CBA.

First they identify one of CBA's suppliers. They hack the supplier's mailbox and subsequently monitor the correspondence between CBA and the supplier. They copy anything they can use.

Then they create a domain name and an email address which is almost identical to that of the supplier, so the employee at CBA, who has been chosen as a invoice fraud target, won’t notice the tiny difference.

One day they send an invoice to CBA, which is similar to those invoices the company previously have received from the supplier. The fake invoice is easy to make and not even the language is a barrier, because foreign cyber criminals have software and networks which enable them to express themselves almost perfectly in any language.

Consequently, large numbers of employees around the world have been cheated by these sophisticated fraudsters.

Has the account number changed?

There are different variations of the fraud, but they all have one thing in common: a new account number. This is a critical part of the fraud plan. 

What this means to you is that if you notice a bank account number has been changed, the alarm lights should be blinking instantly. 

Call a well-known person at the supplier and check if it is correct that the account number has been changed.

Listen to the alarm bells
Also, the alarm bells should be ringing loudly when you receive an email asking for a cash transfer in a rush. Why the rush? It is important that you take the correct measures of precaution. Never rush with money transfers.

If you don't notice until it's too late, and money has been sent to the wrong recipient, you must contact your company’s bank as soon as possible. Tell them that an error has been made and that money has been transferred to a wrong recipient. 

Sometimes it will be possible to stop a transfer before it has gone through. But at other times the money will have been lost and the cyber criminal will disappear.


Special offer

Check out our special offer and get 20% off our Simple Cyber Essentials course

It's super simple, quick and even a bit of fun! 

Learn more