A number of Australian businesses and industries are currently being targeted by fraudsters, using a variety of invoice payment scams. In some cases, they are targeting companies involved or going through large construction or redevelopment projects, as the payments involved are often quite large. This article explains how the scams work, and what precautions you should take when dealing with invoices, regardless of business size.
Anyone know of any building redevelopment projects underway at the moment? There’s so many redevelopments happening in Sydney... there’s lots of money to be made!
There are a few different tricks that the fraudsters use - so always best you understand how they work, so you can be prepared.
It's possible that any regular supplier that you have a relationship with could be compromised by a malicious actor who has hacked into the computer systems of that supplier or has gained access to an email account. This malicious actor can then pose as the supplier and send fraudulent invoices from a seemingly trusted source. The invoices being sent will look 100% correct except that bank details and possibly contact details are modified for fraudulent intent. They may even tell you their banking details have changed. This scam is only often detected when the regular supplier contacts you to ask why they haven't been paid. In some cases, a legitimate third party staff member might get their email account compromised through a phishing email. The fraudsters will then find invoices in their inbox or sent items, and modify them with update bank account details. They’ll also set up mail forwarding rules so that the compromised 3rd party doesn’t even know it’s happening.
Always verify the account details of an invoice and check that they have not been changed or modified. Check very carefully against a previous invoice to see if any banking or contact details have changed. Contact the suppliers finance department via the contact details on their website. Do not use the contact details or website on the invoice or email as it's possible that has been maliciously modified.
Sounds technical - but it’s simple. This is where the fraudsters create a fake or similar looking web domain name to the intended victim / 3rd party, and send a fake email to someone who pays invoices trying to convince the email recipient that the email received from this domain is legitimate. The invoice will be made to look authentic - with company logos, letter head etc, but contain different bank account payment details. Sometimes they might go the extra mile, and steal real letter heads, and follow up with complementary phone calls to the email recipient.
Other scenarios are where the fraudsters use a personal or faked email address of a staff member - these are called Business email Compromises (BECs), and somehow convince the email recipient that they are authentic, and require a payment or transfer of some kind. “I’m out of the office and hence why I’m using my icloud / gmail personal email account ...Please don’t call me by phone to check.. I’m on holiday / on a plane…” Don’t fall for it! This is also a good reminder why it’s always best staff to never use personal email accounts for work purposes, as it encourages their staff to never question why they are using a personal email account in the first place.
False billing scams will request you to pay fake invoices for services or supplies that you did not order. Some common examples include directory listings, advertising, domain name renewals or office supplies. Fraudsters will leverage common social engineering techniques to trick you into paying for these invoices. The invoices are potentially invoices you may have never received before and look like one off work orders. This scam is usually detectable using email security checks but there is always a possibility that such an invoice could land in your inbox.
If you've received an invoice asking for payment and don't understand the context, ask internally with your team if they're aware of any such orders. Verify that the work order does exist and that the work was completed. Do some research on the company name, phone number and email to try and determine if they're legitimate and do exist. If they exist contact their finance department asking for clarification on the work order and again verify internally with your team before paying any such order.
90% of cyber attacks begin with a phishing email, so it's vital that you know how to spot them before you are defrauded.
With Cloudfloat, you can buy now and pay later. Because Cashflow matters.