We’ve heard about more and more cases of invoice fraud and scams lately, and criminals are adjusting their tactics to more effectively target businesses. It seems criminals are even using fake company letterheads, email addresses very similar in appearance to official company addresses, and some scammers are even calling businesses over the phone. The scammers can appear to be very professional and legitimate, and have affected a number of businesses across Australia.
What is an invoice scam?
A scammer convinces a business that they are a legitimate supplier or creditor, and requests that the business changes the bank account details that they have on file to their own account details. The business is scammed into paying invoices to the new illegitimate bank account details. The Queensland Police Service has warned that they have noticed that the building industry in particular has been targeted in these attacks, and that several businesses have lost money to scammers.
Accounting software company Xero has written an article detailing an attack on a business which involved a scammer stealing the company’s email credentials and using the email address to email customers of the business with new (fraudulent) banking details on fake invoices. The company only found out that their email was compromised because of an astute customer. Read the full story here: https://www.xero.com/blog/2017/11/protect-construction-business-invoice-scams-security/.
There are also other types of invoice and billing scams that we’ve previously mentioned in our other article Online Fraud Prevention for Business, and these include fake invoices being emailed to businesses, and payment being demanded for subscription services that businesses were never signed up for (read it here: https://aboutnetworks.com.au/2019/01/20/online-fraud-prevention-for-businesses/).
What can I do?
The Queensland Building and Construction Commission has released a Scam Alert warning, and they offer the following tips to avoid falling victim to scammers:
- Double check all requests to change suppliers or other businesses/persons bank account details.
- Independently verify all notices of changes in bank account details. Ensure telephone verification contact is done with the telephone number obtained from the particular businesses official website or Yellow Pages entry.
- Do not use telephone numbers located within the email to verify the change, always use details you already have or that you have sourced independently.
- Use your database contact details to confirm notifications for any changes of banking details via official correspondence with your suppliers (such as a letter), preferably before processing the next payment.
- Always have up-to-date virus protection and remind staff not to open unknown emails or open links within emails they are unfamiliar with.
- Beware of false confirmation e-mails from almost identical e-mail addresses, such as .com instead of co.za, or slight variations from genuine addresses that can be easily missed.
- Consider a multi-person approval process for transactions over a certain dollar threshold.
- Always confirm the identity of the person your business is dealing with.
- Ensure you always shred and never throw away your business (and suppliers) invoices or any communication material that contains letterheads.
- Do not publish your bank account details on the internet. This private information can be used fraudulently to trick genuine customers into making payments to alternative accounts.
- Ensure that your company’s private information is not disclosed to third parties who are not entitled to receive it, or third parties whose identities cannot be suitably verified.
Read their full article here for more information: https://www.qbcc.qld.gov.au/blog/industry-today/scam-alert-queensland-building-industry-targeted
Additionally, we recommend enabling two-factor authentication (2FA) for all your personnel. Two-factor authentication is a login system where a code is sent to your mobile phone which must be entered in addition to login credentials prior to logging into your email from a web browser. This is a very effective deterrent even if someone has phished or guessed your password. If your email system doesn’t support two factor-authentication, give us a call to discuss moving your business emails to a better and more secure system.
If you believe that you may have already been victim to a scam, they also advise that you submit a report to the Australian Cyber Online Reporting Network (ACORN) and you can find their website here: https://www.acorn.gov.au/.