For businesses and SMEs, a big fraud threat is invoice redirection fraud. While this is not a new type of scam, it is one that has increased during the pandemic. Niamh Davenport looks at how this scam works and how businesses can protect themselves from falling victim.
Organisations of all sizes are open to fraudulent attacks, but SMEs can be a particular target as their security systems may not be as robust as those of larger organisations, and with new systems and processes being implemented quickly during the pandemic, there may be gaps in the chain that fraudsters will use.
Keeping security systems and devices protected with official and reliable software and backups can assist greatly in keeping fraudsters out of your business. It is also important to be aware that you may be at risk of fraud indirectly if a fraudster compromises a supplier’s system and sends you emails from their accounts to defraud you.
Invoice redirection
With the ongoing COVID-19 pandemic driving both our working and social lives online, fraudsters are taking advantage of the current climate by adapting their scams; one such example is invoice redirection fraud.
This is usually done by using a spoofed email address. The fraudster emails someone in the organisation posing as a supplier. The email address used will mirror an address regularly used by your supplier, including logos and signoffs. The email contains information about a new bank account and instructions that all future payments should go to the new account.
When the next legitimate invoice is received from the real supplier, payments are made to the new fraudulent bank account. Generally, it is only when the reminder to pay the invoice comes in that the organisation realise there has been a fraud committed. There is no guarantee a recall on the payment through the bank will prove successful – fraudsters are quick and will move money as soon it’s received.
Protecting your small business
There are three ways organisations can keep themselves secure against fraudsters:
Be informed
- Ensure employees are fraud-aware and understand the controls and procedures in place that your company currently employs to prevent fraud.
- Have a verification process in place before changing saved bank account details of your suppliers or service providers.
- Provide cyber security training for staff to include guidance on links in emails and the importance of password protection.
- Don’t assume you can trust caller ID. Phone numbers can be spoofed so it looks like a company is calling.
Be alert
- Fraudsters can change an email address to make it seem as though it comes from somebody you email regularly. Look out for different contact numbers and/or a slight change in the email address (e.g., .com instead of .ie) as these may differ from previous correspondence.
- Fraudsters may already have basic information about you or your business (e.g. name, address, account details); do not assume the caller is genuine because they have these details.
- Be wary of payment requests that are unexpected, irregular or require changes to bank account details, whatever the amount involved.
Be secure
- Ensure security and software is regularly updated and maintained using official and reliable software and that your system is regularly backed up.
- Always exercise caution when forming new relationships with potential customers, and undertake appropriate due diligence.
- Don’t allow yourself to be rushed. Take your time and do the relevant checks.
Remember, implementing processes to prevent fraud does not have to be costly. In fact, low-cost measures can prevent most fraud from taking place in the first instance, such as verifying new payment details verbally.
If you fall victim to a scam or have noticed unusual activity on your account, contact your bank immediately. The sooner the bank can investigate potential losses, hold funds in accounts and place recalls on transfers made in error, the better. You should also report the incident to your local Garda station.
Niamh Davenport is the Head of Digital & Fraud Prevention at BPFI.