116 Gawler Place, Adelaide SA 5000 1800 818 875 [email protected]

Fake Invoice Scams: How to Protect Your Business & Your Customers

Fake Invoice Scams: How to Protect Your Business & Your Customers

Fake invoice scams involve the unauthorised sending of invoices that are designed to look like they are from legitimate vendors but are actually from cyber criminals. These invoices may charge for goods or services that your business did not order or receive, or they inflate the costs of actual orders. The goal is to trick businesses into paying for something that isn’t real.

How Fake Invoice Scams Work

Fake invoice scams employ various sophisticated methods to deceive businesses and manipulate financial transactions:

  • Spoofing Emails
    • Scammers forge the sender’s address to make emails appear as though they’re from legitimate sources.
    • Emails mimic the format and style of actual supplier communications but include altered payment details to redirect funds to fraudulent accounts.
  • Hijacked Supplier Accounts
    • Unauthorised access to a supplier’s email account is gained through malware or phishing.
    • Scammers send invoices directly from the compromised account, making the fraudulent request appear legitimate.
  • Phishing Attempts
    • Emails that seem to be from trusted entities trick recipients into revealing sensitive information like login credentials or financial data.
    • Gathered information is used to craft convincing fake invoices or gain further access to vendor accounts.
  • Vendor Impersonation
    • Scammers impersonate suppliers by either creating false identities or pretending to represent legitimate businesses without accessing their systems.
    • They inform businesses of new payment methods or bank details under the guise of administrative updates.
  • Manipulation of Digital Documents
    • Using software to alter digital invoices, changing payment details before sending them to businesses.
    • These manipulated documents can pass initial checks if digital signatures and secure protocols are not enforced.

These scams can lead to significant financial losses and compromise business integrity. And, unlike other scams, these scams often involve two innocent victims.

Fake invoice

The Dual Victims of Fake Invoice Scams

Fake invoice scams target two separate victims; the invoice sender (i.e. the business which was hacked or targeted) and the invoice receiver (i.e. the business or individual who is being asked to pay the hacker).

  1. The Compromised Business

The first victim in a fake invoice scam is often the business whose identity has been hijacked or spoofed by the scammer. This can be a business that you regularly deal with or another known business with a well known brand. When scammers use a real business’s identity, they typically gain unauthorised access to their email accounts or create convincingly similar emails to send fraudulent invoices. The consequences for the compromised business can be severe, including:

  • Loss of Reputation: When fake invoices are sent out under their name, it can damage their reputation and erode trust with their clients.
  • Financial Losses: If the scam involves diverting payments, the legitimate business may face significant financial losses.
  • Legal and Compliance Issues: The business might have to engage in costly and time-consuming processes to prove the fraud and might face scrutiny regarding their cybersecurity measures.
  1. The Receiver of the Fake Invoice

The second victim is the receiver of the fake invoice—typically another business. This victim is deceived into paying for goods or services that were never delivered or agreed upon. The repercussions for these businesses can include:

  • Financial Impact: The direct financial loss of paying these fake invoices can be substantial, especially for small businesses operating with limited cash flows.
  • Operational Disruptions: Sorting out the confusion caused by fake invoices can consume valuable time and resources, distracting from daily operations.
  • Increased Vulnerability: After falling victim to a scam, victims may face increased risk of being retargeted by scammers, who exploit known vulnerabilities for further fraudulent activities.

For businesses on both ends of this scam, it’s crucial to maintain open lines of communication and to verify any suspicious or unexpected invoices directly with the source.

Fake invoce

What Should I Do If My Business Emails And Invoices Get Hacked?

  • Secure Your Systems: Immediately contact your IT department or a cyber security professional to secure your systems and close any security gaps that allowed the breach.
  • Alert Your Clients: Proactively reach out to all clients, particularly those who might have been sent fake invoices under your name. Provide them with correct invoice details and how to authenticate communications from your business.
  • Legal and Regulatory Reporting: Report the misuse of your business identity to the Australian Competition and Consumer Commission (ACCC) via Scamwatch. Depending on the scope of the breach, you may also need to comply with data breach notification laws.
  • Record and Collect Evidence: Collect and secure all evidence of the breach, including server logs, access records, and emails. This documentation will be crucial for investigations and legal proceedings should you need them.

What to do if you receive a fake invoice from a known supplier

  • Pause Payments: If you suspect an invoice is fake, immediately stop any ongoing payment processes. Inform your finance team and your bank to put a hold on transactions.
  • Authenticate Directly: Before processing any questionable invoices, confirm their legitimacy by contacting the supplier using previously known and confirmed contact details. Avoid using any new contact details provided on the suspicious invoice.
  • Consumer Protection Reporting: Inform the ACCC via Scamwatch about the fraudulent invoice. This can help authorities track and potentially apprehend the fraudsters.
  • Review Payment Procedures: Evaluate your current payment and verification procedures to identify any weaknesses that could be exploited by fraudsters. Consider implementing stricter controls, such as dual approval for unusual or large payments or more rigorous vendor verification processes.
The Menace of Malware_Safeguarding Small Businesses_1

How to prevent Fake Invoice Scams

Preventing fake invoice scams requires proactive cyber security measure. This will ensure your business is protected as both the issuer of invoices and the receiver:

  • Educate Your TeamEmployee cyber security awareness training sessions can dramatically improve your business’s cyber defence. Not only does training improve your team’s knowledge, but it helps to set a cyber safe culture. Jam Cyber offers free training! Find out more.
  • Implement Invoice Verification Processes: For businesses that issue invoices, ensure that your clients are aware of how you will communicate changes in payment information. For recipient businesses, establish a routine to verify invoice details directly with the supplier using known contact information before processing payments.
  • Leverage Your Technology: Cyber security tools such as spam filters, antivirus software, and email authentication techniques can help reduce the number of fake invoices received. Businesses can also adopt two-factor authentication for accessing financial or sensitive business systems.
  • Implement a Cybersecurity Framework: A cyber security framework will not only help prevent fake invoice scams, but increase your business’s overall protection from all cyber threats. This approach helps identify threats, protect infrastructure, detect incidents, respond effectively, and recover from attacks, enhancing overall security and resilience.

Improving your cyber security

If your business is looking to improve your cyber security, contact us below to discuss how we can support you!

// Need more help?

Contact our team today.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Related Posts:

    Google Rating
    Based on 41 reviews
    Have questions? Search our knowledgebase.