This article was originally published on 27 November 2020. The article was republished on 8 February 2024.

With forces such as high inflation and the cost-of-living squeeze rocking the economy, it’s crucial to protect the money you’ve worked so hard to accumulate. UK Finance reported that in 2023 70% (£34.5m) of invoice scam losses occurred on a non-personal or business account – that’s an average of £23,500 for each case.

Invoice fraud is not a new type of threat, but it’s certainly a favourite with criminals, says John Allcock, Strategic Fraud Analyst at the bank. 

What is invoice fraud or invoice redirection ? Typically, it’s when criminals pretend to be a known supplier or client who sends a bogus communication with a request to update their payment details. It could be an email that looks like it’s from an actual supplier, perhaps with the excuse that they‘ve moved to a different bank. If you use these new details to pay, then that money will go straight to the fraudster rather than your supplier.

“It usually involves the supplier’s email system being hacked so it looks as though it comes from the supplier itself. Or sometimes businesses receive a spoof email where it has a couple of different digits,” says John.

In other words, you might be expecting an email from accounts@yoursupplier.co.uk, but would you necessarily notice the difference if it was missing the .uk – for instance, accounts@yoursupplier.co – or contained a misspelling, such as accounts@yoursupplier.co.uk?

Cybercriminals are all too aware that the people working in a business can be its weakest link if training and processes aren’t reinforced regularly. John points out that, historically, customers have been advised to do a call back to make sure they’re speaking to the right person or company but this might not be straightforward if:

• Customers have a huge number of suppliers and simply can’t contact everyone.
• There’s a time difference for those businesses based abroad.

“Too often that part of the process doesn’t get done. It might be that the customers have a process in place but they didn’t do the call back, or, they simply don’t have a process in place,” explains John.

Establishing a system can help people follow the correct procedure. “In one case, the employee who received the invoice tried to call but when they couldn’t get in touch they resorted to an email, which of course doesn’t work if the supplier’s email has been hacked.”

John also points out that this scam has evolved to include internal authorisation. “This is where the supplier’s been hacked or spoofed and the fraudster sends an invoice to the customer with a cc to someone in senior management within that same company.” They then follow up with a fake email giving authorisation to make the payment.

So how can businesses stay vigilant against scams?

Be aware that some information is in the public domain

It can be easy to gather information about a company’s staff or who they work with. Most of us have our job titles listed on social media channels like LinkedIn, which can be rich pickings for hackers determining who works where. “A construction firm’s website may say they work for a particular company, so fraudsters will use that. Scaffolding might be up with their name all over it, so that’s another way,” says John.

“You might think it’s enough to have a call back system in place but it’s worth taking your security a step further and talking about what is actually discussed in that call back,” he says.

A real-life example: When Confirmation of Payee isn’t enough

One customer who carried out the bank’s Confirmation of Payee name-checking service on a change of details request for a regular supplier found it was “unable to match”, reveals John. So, they then called the supplier and told them about the mismatch. Unfortunately, the supplier didn’t question it, so they sent another email to the customer with the account details.

“The problem was the fraudster had hacked the email system, so when the supplier sent it, the fraudster stopped it, altered it and sent it on to my customer,” he explains.

Again, the name check came up – and this time, the bank flagged it as being suspicious and called the customer to check. “Sadly, because the customer had spoken to the supplier, they assured us it was genuine. They told the bank to release the payment and so they were scammed.”

Five top tips to help protect your business

1. Train your employees: Put a security system in place around changing bank account or contact details for any suppliers. Increase staff awareness so they’re confident about the process and fully aware they can raise concerns. You can use our webinars and resources to help.
2. Check the details: Don’t use contact details within an email or any other new communication; refer to the company’s official website or other trusted channels.
3. Carry out a quality call back: Once you’ve made contact with the supplier, ensure you ask the right questions.  
4. Follow up after making a payment: Confirm with the genuine recipient that it’s been received.
5. Strengthen passwords: make access to email accounts more challenging by updating passwords. Try using three random words with certain letters replaced with numbers or symbols. Our feature on summer scams talks more about business email compromise attacks.