Invoice fraud is perhaps one of the simplest forms of fraud – with the potential to cost businesses tens of thousands of pounds if staff are not vigilant.   

The alarming rise in Business Email Compromise presents a growing threat to all organisations as fraudsters exploit the weaknesses in processes relying on email to hijack genuine transactions and divert funds into accounts that they control.

How does it happen?

Invoice Hijack and Business Email Compromise has grown into a multi-billion pound global threat over the last five years.  The last financial year has seen incidents increase at a frightening rate.

Fraudsters rely on the fact that people who work in finance are busy people and that the primary tool of communication is email.  The attacker will deceive the victim into changing the destination bank details for an invoice.  It is often perpetrated by intercepting genuine emails containing invoices and creating a credible reason for the change.

It is so effective because it bypasses an organisations corporate network security.  Executing a scam does not involve malware, malicious links – and in the sophisticated cases analysed in the last 12 months, the emails have come directly from the account of an existing supplier.   Simply scanning or examining an email does not reveal the threat.

An External Threat

Whilst an organisation can control – to some extent – the security of its own networks and security systems, clearly there is very little it can do about the security of its suppliers systems and they way that they use them.

In the ‘Anatomy of a Scam‘ we highlight how an organised crime gang broke into the networks by targeting Microsoft 365 users.  They did this not because it was easy to break into, but because access to historic emails, contacts and the ability to send email makes invoice hijacking straightforward.

What makes this particularly scary is that in many cases the organisation whose email accounts were compromised merely became the ‘host’ for the crime.   Once a suppliers’ accounts are compromised and the contacts involved in invoice transactions identified their contacts across the supply chain (and historical communications) are at the fraudsters’ disposal.  One supplier can potentially open up 100s of others.

The fraudster then carries out a degree of reconnaissance to learn the key details of their intended victims – the supplier’s clients.  They identify how they’re structured as well as the patterns of communication, language and process.   They are then able to deliver a highly convincing deception.

Email is The Enabler

The average worker sends or receives 121 emails per day.  That means we’re conditioned to actioning, filing or deleting emails quickly.  If an email comes from a trusted source and requests action that is expected – we deal with it and move on to the next one.  That’s the first chink in the armour.

The second chink in the armour is that email is inherently insecure.  We’ve talked many times about how open the technology is and how difficult it is to secure the contents.  It is readily intercepted and can be readily impersonated. Email is the weapon of choice for cyber criminals – 91% of targeted attacks start with email.

If Your Accounts Payable Process Involves Receiving Invoices by Email – You Are Only as Strong as Your Weakest Supplier’s Defences

The strike involves deceiving a member of your Accounts Payable team to make payment to a different bank account.   The different versions of the scheme evolve as criminals create ever more effective ways of providing either a credible reason for the change, or evading detection when the change takes place.

The nature of Accounts Payable means that it’s often not detected for some time after the event – invoices typically payable on 30 days tend to get chased up for non-payment a week or so later.   By which time the money has been transferred several times and the trail is almost impossible for law enforcement agencies to trace.

If a fraudster can compromise your supplier, they have the opportunity to deceive your team.  The result of a successful scam is costly – the money paid to the fraudster is long gone, your supplier is still waiting for payment and the resulting fuss takes up a great deal of management time.

Preventing Invoice Hijack requires a change in process.  Don’t Transmit.

For more information on how to prevent Business Email Compromise and Invoice Hijack, check out this article.