It’s not just consumers who are getting tricked into shelling out money to cybercriminals — middle market businesses on average are losing almost $300,000 annually to invoice fraud, according to a recent survey by Saas firm Medius and Censuswide.
“Invoice fraud is something that’s happening all the time but people don’t talk about it because it’s embarrassing, it hurts their brands and it hurts their supplier relationships,” Branden Jenkins, chief operating officer at Sweden-based Medius, said in an interview. “It is a rampant problem.”
It’s a crime that hits all-sized companies. In 2019 a Lithuanian man pleaded guilty to U.S. charges of helping defraud the company now known as Meta and Alphabet’s Google out of more than $100 million by posing as a hardware vendor and claiming the company owed them money in what is sometimes known as a “business email compromise,” according to a March 20, 2019 Reuters report.
Many finance executives aren’t clear of the extent of the problem, according to the Medius survey of 2,750 finance executives in North America, Europe and Asia. The study found that one in four or 25% of finance executives surveyed were unable to estimate how much invoice fraud was costing their businesses, even though last year the study found that on average, finance teams spotted 12 cases of this kind of fraud.
As businesses and their finance teams move increasingly to digital payments rather than paper invoices there is a modern twist to the scams these days. While there are a combination of schemes by which businesses can be defrauded in the invoice process, Jenkins said some of the most common ones to guard against are:
- Illegitimate vendors: “What ends up happening is vendors that are not legitimate will get into your system and submit invoices that are a low enough dollar amount and just get approved,” Jenkins said. “It’s a volume game —they’re not big enough to trigger approvals.” This is one of the top scams, Jenkins said. It comes when the businesses do not have a process in place to properly vet and set up a vendor. Such a system would make sure there are multiple people within the company ensuring vendors are on the payable vendor list as well as using third-parties to verify that they are legitimate companies, he said.
- Invoice spoofing/fake invoices: This typically entails invoices that come in from a valid vendor, but there will be a slight change to remittance information such as a different address, ACH routing number or email address, Jenkins said. “Just enough is changed so when you get the invoice you say, ‘oh yeah, that’s a valid vendor, we’re paying it, it says here to update the banking information, no problem,’ and then that money is diverted to a fraudulent account,” Jenkins said. Capture technology and other solutions can often catch this, but when companies are getting hundreds of invoices a day they may not catch it, Jenkins said. This kind of fraud can be perpetrated by someone on the vendor side, someone on the paying company’s side who knows they get the invoices and changes the bank account information, or there can be bad actors from the so-called dark web that capture that information, he said.
- Intercepting mailed checks: Some 40% or so of companies are still mailing checks in the U.S. Checks get intercepted all the time; fraudsters will edit and change the name, digitally capture the check, change the pay-to information and then deposit it in their account, Jenkins said. “The fact is businesses aren’t reconciling,” he said “They’re not looking at every single check to make sure it’s a positive pay so that’s another way we get to this $300,000 a year [of invoice fraud] for businesses.”
Medius provides accounts payable management software that automates the invoice process. But even with technology that smooths the payments process and helps catch scams, Jenkins said CFOs and finance teams need to remain vigilant when it comes to invoice fraud.
“If you don’t constantly monitor it you can’t mitigate risk,” he said. It requires “ongoing improvements and health checks,” he said.