Would a fake invoice fool you?

Cybercriminals are finding cunning ways to trick SMEs into paying fake invoices – so what should you look out for?

That’s especially so at the present time with more and more criminals taking advantage of the coronavirus pandemic to scam businesses. Action Fraud has already received more than 200 reports of coronavirus-themed phishing emails, including some purporting to be from HMRC offering a tax refund.

The typical fake invoice scam, according to Randal Pinto, co-founder of data-driven cyber-security company Red Sift, involves crooks pretending to be a company’s CEO. He explains: “They will send an email to the CFO or to someone in accounts just as they are getting on a plane or entering an important meeting – and therefore out of contact – which says something like ‘pay this invoice right now or we lose the deal’.”

As far back as 2016, a scam of this nature cost a German firm a reported €40m (£36m) – and left the criminals with an insatiable appetite for more. Little wonder that UK businesses of all shapes and sizes are being targeted.

The second – arguably more common – type of invoice scam involves someone purporting to be a supplier sending an invoice to your accounts department. When they do so, they typically provide new bank details which, of course, are for an account belonging to the scammer.

So what can we look out for in order to stay vigilant against scams?

Too much information

In a way, we’re partly to blame for the scammers’ increasing audacity – Jamie Durham, founder of Leeds-based IT specialists Systemwork, says we’re furnishing them with the information they need on a regular basis. “Suppliers often advertise which businesses they work for on their websites,” he says. “Hackers can then look at the supplier’s ‘meet the team’ page and find out exactly who works in accounts and might be the one sending out invoices.”

The hackers can then either get into that supplier’s email system if it’s not secure and send out an invoice with new bank details, or – more likely – buy a domain name that is very similar to the supplier’s and send it from there.

Hackers can look at a supplier’s ‘meet the team’ page on their website and find out exactly who works in accounts and might be sending out invoices

Jamie Durham
Founder, Systemwork

In other words, you might be expecting an email from accounts@yoursupplier.co.uk, but would you necessarily notice the difference if it is was missing the .uk – for instance, accounts@yoursupplier.co – or contained a misspelling, such as accounts@yoursuplier.co.uk?

“Something that could make the email even more convincing is if they work out the correct firstname.surname format to send it from,” adds Durham. “They want it to be as near as possible to an actual communication that would be happening on a daily basis.”

Lots of suppliers, lots of tactics

“Fake invoice scams are a hard problem to solve because accounts teams often deal with a large number of suppliers,” says Pinto. “And there are such great variations in the tactics that the cybercriminals use, from a scattergun approach to highly targeted.”

The scammers, adds Durham, definitely have SMEs in their sights. “These scams are very easy to fall for,” he says, “and the criminals often do their homework. If they think that the most you’ll pay out before alarm bells start ringing is just £500, that’s what they’ll ask for.”

Unfortunately, he adds, fake invoice scams only exist because the cybercriminals know that the human element in a business is its weakest link. “It’s basically a reminder of how important it is to make sure your team is properly trained, newer members especially,” he says. “These people don’t yet have a strong relationship with suppliers and senior management, so they should be given clear guidance about how to operate from day one.”

Five top tips to help protect your business:

  1. Lean on tech. Pinto explains that there are now tech solutions designed to flag up communications that might not be what they appear to be: Red Sift’s OnDMARC, for example, protects domains from email impersonation while its OnINBOX is designed to spot fake invoices.
  2. Do your research. Is one of your suppliers advertising on its website that it does business with you? If so, says Durham, be extra alert when dealing with invoices from this business.
  3. Double-check. If there’s any doubt, says Pinto, give the sender of the email a call. “Just make sure you use a phone number that you know to be correct, not the one that’s on the potentially fake invoice,” he says.
  4. Try different comms channels. To reduce the chances of your email system being compromised, Durham recommends using Google Hangouts or Microsoft Teams for internal comms as much as possible. It’s likely to raise a red flag if someone suddenly receives an email – especially one with a link – from a ‘colleague’.
  5. Close down the lookalikes. If you own a co.uk domain name, it can be a good idea to snap up the .com, .net and other variants, but – as Pinto points out – you’ll never close down all the gaps, especially when it comes to lookalike domain names.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of the NatWest Group Economics Department, as of this date and are subject to change without notice.

scroll to top