Invoicing and payments fraud can take a variety of forms: invoices from fictitious companies, invoices for products that were never delivered, for unusually high amounts, or as part of a phishing scheme. As your business grows and your vendor list gets larger, how do you stay on top of the validity of each invoice? Below are some common invoice fraud schemes and how you can prevent them.
Imagine you’re an accountant and you receive an email from your CEO with a request for an urgent payment. He or she is finalizing the acquisition of another company and need you to wire money immediately in order to close the deal. You receive a follow-up phone call from a third party with the wiring instructions and authorize the payment as instructed. Only later do you find out that the email wasn’t really from the CEO and both the email and the phone call were an orchestrated scam.
This type of fraud, known as “business email compromise,” “CEO fraud,” or “CEO impersonation” was responsible for over $675 million in losses last year alone, according to the 2017 FBI Internet Crime Report. Using a spoofed email address (a common method for phishing schemes), fraudsters specifically target individuals responsible for wire transfers or invoices within an organization and solicit payments from them. They thoroughly research a company’s recent activity and target companies that conduct a lot of foreign transactions via wire transfer, since those payments are difficult to reverse. The authority of the sender, the urgency of the request, and the spoofed email address create a very convincing hoax.
Fraudsters may impersonate trusted vendors as well. Using a spoofed email, they may send notice that they’ve recently changed addresses or ACH routing information along with a fake invoice. Similar to CEO impersonation, this type of fraud happens when someone impersonates a vendor you already conduct business with. Fraudsters specifically target an employee within accounts payable, hoping that the payment will go through long before anyone questions its validity.
Awareness is key to prevent CEO and vendor impersonation fraud from happening in your organization. If you receive an email that seems suspicious, pay attention to the tone of the email: Does it sound like something your CEO would send to you? Is it their usual tone, or is it overly formal? Another thing to consider: Is it unusual for you to receive a wire transfer or urgent payment request from your CEO or this particular vendor? If you’re unsure, just ask, especially for large amounts.
The creation of a shell company is one of the easiest ways for an employee to perpetrate an invoicing fraud scheme. A shell company only exists on paper, provides no services, and produces nothing. This type of fraud is often an inside job; the employee might set up the entity in a friend’s or relative’s name and invoice their employer and collect the payments. Typically, the employee will have information on the way the invoices are processed (or may even be the one paying them), so they know exactly what threshold to stay under to avoid further approvals, potentially remaining undetected for years.
Shell companies can be difficult to distinguish from real companies, but there are a few red flags. Be wary of invoices that have vague or unspecified services – this doesn’t necessarily indicate fraud, but services never rendered are a lot harder to detect than products never delivered. Are the invoices you receive numbered in sequential order? This may be because they have no other customers, and you’re the only one receiving the invoices. If you suspect it’s a fake invoice from a shell company, keep an eye out for other red flags (typos, grammatical errors). If it’s from a vendor you don’t recognize, then be cautious. Look closely at the address, tax ID number, and phone numbers – one of these might match one of your employees.