More invoice fraud cases are happening now than ever before and they affect not only large corporations but small businesses too. The increase in the number of employees working remotely means there’s less visibility and control over AP processes which gives fraudsters more opportunities. Invoice fraud is a danger you can’t ignore, but you can reduce the chances of it happening.
What is invoice fraud?
Invoice fraud may be perpetrated by a third party or by a company employee. Accounts payable (AP) departments in companies are most susceptible to Business Email Compromise (BEC) fraud. These departments are often targeted by email scams where fraudsters use sophisticated social engineering techniques to trick employees into paying over money. They may receive a legitimate-looking email that appears to come from a supplier. It will notify them of a change of bank and account details.
Fake invoices
Fake invoices may be created by fraudsters that understand the general workflow of a company for receiving and processing invoices. The invoice will use a similar email address, invoice template, and payment amount to the originals but the bank account information will be different. In the midst of processing thousands of payments, an employee may be tricked into making payments to a fraudulent account. The company often only becomes aware of the issue when a legitimate supplier follows up because payment hasn’t been made.
Even the biggest companies are fooled by invoice fraud and Amazon paid over $19 million in 2020 for items that were never purchased. This was due to the manipulation of Amazon’s vendor system and the setting up of a fake wholesale business.
Internal fraud/employee malpractice
An employee may be involved in internal fraud by using a legitimate vendor invoice and diverting payment to a different account. This would involve changing the vendor’s bank account details in the AP system temporarily and changing them back again to avoid detection. A 2020 survey indicated that one of the main sources of billing fraud experienced by AP came from current employees.
Vendor record changes/ system takeovers
The most tech-savvy fraudsters use phishing, business email compromise (BEC) attacks or brute force attacks to exploit loopholes in software security and get access to internal systems. When cybercriminals have access, they can make subtle changes to invoice details or account numbers that may go unnoticed for a while.
How to prevent invoice fraud
A single fraudulent invoice may not cause too much of a problem, but if a company keeps falling victim to this type of fraud, it can become a costly problem.
Employ three-way matching
The process of matching an invoice to a purchase order (PO) and supporting goods receipt note (GRN) validates different parts of the supply chain. If you can match all three documents, you are less likely to fall for invoice fraud.
Automating the three-way matching process can save time, reduce errors and minimize risks. The lack of human intervention in the process reduces the risks of something being missed or an employee getting an opportunity to manipulate data. The automation software will flag missing or conflicting data so this can be investigated before paying an invoice.
Do your vendor due diligence
When you select and onboard vendors, it will help to do due diligence checks. Validate that they are legitimate entities by asking for the following:
- Proof of incorporation
- A legitimate email address
- A tax number that matches the details provided
- Proof of bank account details, etc.
If you only work with legitimate, compliant vendors, you reduce your risks of fraud and non-compliant activity.
If you track invoice activity, you will notice when there’s a change. If you see that one vendor who typically submits about ten invoices a month is suddenly submitting 20 a month, you should get in touch to double-check their authenticity.
Implementing system auditing software can keep track of any changes to vendor master files. It will not only track changes to vendor records but also look for duplicate invoice numbers or invoices with suspicious beneficiary details or amounts.
Segregate duties and user audit logs
A common way to prevent fraudsters from extracting funds is to ensure that the processing of payment requires authentication by multiple employees. No single user can manage payments, but two to three employees must review and approve each payment.
User auditing controls provide a way to keep a log of every action carried out by users on a platform. This offers transparency and a way of evaluating potential fraudulent actions perpetrated by employees.
Institute layers of security software
Layers of security can help companies to ensure the integrity of their online software ‘perimeter.’ In practice, you will need to institute measures such as the following.
- Adopt next-gen firewalls.
- Use reliable internet security systems.
- Provide VPN access for remote employees logging into company platforms.
- Use IP safe-listing
- Protect user credentials through two-factor or multifactor authentication that requires two or more forms of identification during login.
- Use other privacy-enhancing technologies.
Train your employees
Fraudsters will look for opportunities to exploit weaknesses in your processes. It is critical to make sure your employees are well-trained in how to detect fraud, particularly those responsible for making payments. They should know they need to remain vigilant and adhere to all the relevant checks and processes. For example, if they receive a request to change supplier bank account details, they must call a previously verified number and check the validity of the change.
Conclusion
The threat of invoice fraud is increasing, and not only large companies are subject to it but also the SMBs. If you are aware of the different types of invoice fraud that can occur and have tools and strategies in place, you can reduce the risks and carry on with your business confidently. You also need to train your employees to make sure they’re aware of the risks and follow protocols to reduce them.