Spotting fake invoice scams – what UK SMEs need to know

How do you know an invoice is genuine? With great difficulty, it turns out

UK businesses are coming under attack from by a wave of fake invoicing scams with smaller and medium businesses a favoured target, according to Action Fraud and fraud prevention service Cifas. Figures for the first half of 2015 show that 715 UK businesses, overwhelmingly SMEs, reported falling prey to this type of scam, which puts the country on course for a record haul of cases. As with any reporting system, the true number must be several times that figure.

To emphasise the seriousness of this type of fraud, two businesses that complained of invoice fraud were said to have lost sums around the £1 ($1.5 million) million figure each. Further afield, there are occasional spectacular examples such as the extraordinary $46.5 million Ubiquiti Networks admitted it had handed over to criminals from its Hong Kong subsidiary as part of a sophisticated business email compromise (see below).

The warning lights are now flashing red - across the developed world, this is now one of the biggest categories of digital fraud with the FBI and Australian authorities putting out regular alerts of their own. An underlying issue is that while the fraudsters often exploit weaknesses in technology to attack businesses the biggest flaws are always human and result from a lack of awareness, training, poor systems, policies and checking. People make assumptions about identity and legitimacy and take too many short cuts.

But why have these scams become so successful? And what if anything can businesses do to protect themselves?

Spotting fake invoice scams : Malware and beyond

It's important not to confuse fake invoice fraud with the common 'unpaid invoice' emails that turn up in everyone's inbox from time to time. Those are usually a mechanism to persuade recipients to open attachments as a way of spreading malware. The invoice topic is simply a lure.

That said, a growing number of scammers do employ a slightly more directed version of this approach intended to find low-level admin people who will take an invoice demand, however implausible, at face value. There are numerous anecdotes of this approach working for smaller sums of money. Malware has also been used to carry out reconnaissance on target organisations.

Spotting fake invoice scams : Accounting systems

The simplest form of fake invoice scam is a well-crafted and targeted demand for money, usually a small sum for office supplies or some other routine service that was never undertaken but sounds plausible. If the invoice is sent to someone in the accounting office, the crooks know it won't often be discarded out of hand. These job roles receive numerous invoices in any day and will treat them as being equally valid unless something suggests otherwise. Fraudsters might also make phone calls to add to the authenticity, citing a genuine name or department as having consumed the imaginary services.

The first defence, then, is a company's accounting systems. The simplest system is to match an invoice number to a purchase order, preferably with a shipping or confirmation order. These systems are used by any serious company, usually to detect internal fraud. If there is no matching, the invoice can't be paid without further verification.

Unfortunately, fake invoice scams have long since become cleverer than that.

Next: Business Email Compromise

Spotting fake invoice scams : Business Email Compromise (BEC)

In recent years the FBI and other police forces have documented more advanced versions of the simple invoice demand, starting with the invoice modification scheme. In this attack, an organisations is phoned up or sent a spoofed from someone claiming to be from a company they do business with, informing them of an office location or bank account switch and that future invoices should be re-directed. Sometimes the office move is genuine but, of course, the representative isn't. Organisations doing business across international borders are a common target for such frauds.

A variation of this is the 'man-in-the-email' scam in which a legitimate account at an organisation is compromised, allowing the scammers to appear genuine. A demand for money to be transferred to the fraudster's account is then sent to an internal employee. Alternatively, a compromised email account is harvested for contacts and bogus invoices sent to his or her contacts.

Spotting fake invoice scams : SPF, DKIM and DMARC security

A useful defence against external invoice systems is for more companies to use an email platform or provider that offers email authentication, at least SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) and, ideally, Domain-based Message Authentication, Reporting & Conformance (DMARC). This makes it impossible for criminals to send spoofed email impersonating a business.

Email authentication has a blind side - while it is not possible to spoof the real address when using these technologies, it is possible in some email systems or clients to spoof the recipient that displays to the user.

Email can also be signed using digital signatures based on an organisation's digital certificate implemented as long as the recipient's email software supports S/MIME (Secure/Multipurpose Internet Mail Extensions). Webmail systems won't work with this form of security.

Spotting fake invoice scams : Email platforms

If the attacker is already inside the email system, or has access to sensitive internal data, none of these approaches will work which is why the choice of email platform and the level of security it provides is critical. If email offers multi-factor authentication and regular password refreshes this makes it much harder if not impossible for outsiders to break in.

Spotting fake invoice scams : Recommendations

It's easy to suggest educating users about scams but it is immensely important that anyone handling invoices or wire requests is sensitised to the issue
Accounting systems and checking policies are the first defence for SMEs
A policy should be enforced that any change of bank account by a partner or supplier should always be validated by a channel other than email, preferably through two contacts.
Never respond to payment requests using the 'reply' button - always use the 'forward' option that validates a contact from the address book.
Choose an email platform or provider that uses anti-spoofing systems or allows multi-factor authentication. Businesses should never use free services or cut corners.
Where possible use digital signatures for email exchanges with important suppliers
Transfers to some countries - China, Hong Kong, South Africa, Turkey - should be treated with extra suspicion. Local 'mule' accounts at local banks are increasingly being used.

Spotting fake invoice scams : Filing a complaint

This might seem like bolting an empty stable door but intelligence on these scams is extremely important. In the UK, Action Fraud is the first port of call while in the US it's the Internet Crime Complaint Center (IC3).

Join the CSO newsletter!

Error: Please check your email address.

More about FBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts