Invoice Redirection Fraud: how it happens, and how to avoid it

Sun, 16 Aug 2020  

As digital transformation specialists, Capability Wise understand the pitfalls businesses experience with traditional invoicing methods. Through continuing to employ conventional billing systems organisations may be putting themselves and their suppliers at unnecessary risk, as cybercriminals become more sophisticated and attempts at fraud become more difficult to detect.

Part of a larger cybercrime called Business Email Compromise (BEC) which cost Australians over $132 million in 2019, invoice redirection fraud is one of the most common strategies cybercriminals use to take advantage of businesses today. Impersonating a business or supplier, cybercriminals access emails, intercept invoices or change bank account details in order to redirect the payment, leaving the invoice outstanding and the supplier unpaid.

Raised Image

Understanding the size of this problem, relevant statutory bodies and consumer watchdogs have sought to bring BEC into the spotlight, to deter scammers and educate businesses and suppliers on how to avoid falling prey to invoice redirection fraud. For example, the ACCC have developed ScamWatch, a comprehensive website that provides advice for businesses to avoid being scammed, including a checklist of issues to keep watch for in relation to fraudulent invoices. While thorough, the advice is detailed and lengthy, and it is easy to see how a time poor finance officer or small business with a variety of people paying invoices might overlook one or more of these issues, inadvertently costing their business thousands of dollars or more.

Despite the increased awareness of cybercrime, organisations, both large and small continue to be fooled. In November 2019, two Sydney women were charged over their alleged involvement in a $500,000 invoice redirection scam, with the women who claimed to be from a Sydney-based university, requesting payment of $322,000 then $186,000 through altered invoices and fraudulent emails from an unnamed business.

Business email compromise scams are so lucrative, that many perpetrators continue to operate even following prosecution. With revenue far exceeding the cost of court fines over time, cybercriminals often view these as one of the costs of doing business. One notable example is the long running false billing scam in the travel and tourism industry which saw business owners receiving a renewal invoice via post or email for advertising on websites. While the advertisements did exist on the websites stated, they were never ordered or authorised by most of the business owners.

Finally, in 2014, after many years of the fraudulent activity, the perpetrator was fined close to $20,000 with convictions recorded. Not to be deterred, the fraudulent activity continued, and the offender was fined and convicted again in 2017 and 2019, the latter resulting in an injunction that, if breached, may end in jailtime.

It seems too, that government agencies are not immune to the sophisticated social engineering techniques employed by cybercriminals, with the Brisbane City Council falling victim to a $450,000 invoice fraud scam in 2016. Founded in open source intelligence gathering, it is believed the multi-tiered scam relied initially on researching current work and recently supplied services, secondly, persuading public officials to change banking details for seemingly legitimate reasons and lastly supplying a convincing invoice for payment. It is understood that over $450,000 intended to go to a legitimate provider had been paid into a scam account, with officials only becoming aware of the scam when the service provider made contact to advise their payment had not been received.

The reasons a business may fall prey to a BEC scam are varied, depending on individual circumstances. In many instances, the scams target time-poor small to medium businesses whose staffing resources are not able to extend beyond the function of paying an invoice. Without the capacity to investigate the integrity of each invoice received, businesses are at increased risk of being scammed. Staff turnover, insufficient education and training and a lack of rigour around policy, processes and procedures all weaken businesses defences to the sophisticated tactics employed by cybercriminals.

Raised Image

While the advice provided by industry experts such as ScamWatch can assist in reducing the likelihood of being impacted by a cybercrime, the best way to protect your business from invoice redirection fraud is by transitioning to e-invoicing.

With the obvious benefits of increased efficiency, shorter pay cycles and reduced costs, e-invoicing provides the added security of enhanced compliance and prevents fraud by maintaining control through authorisations, validation and authenticity.

Considering the growing risks businesses today face in relation to cybercrime, both organisations and suppliers need to be able to rely on the integrity of billing processes. Transitioning to e-invoicing is the best way to build and maintain this trust, benefiting your business now and into the future.

Tags: Invoice Fraud e-invoicing

Similar Stories


Best Practices: Invoice Verification & Matching

When it comes to paying accounts, sloppy processes can impact on your bottom line – increasing your risk of errors and exposure to invoice fraud, eroding the trust of reliable suppliers and costing your business time and money... Read More


Best Practices: The importance of supplier onboarding

First Impressions Last! The first step in developing a lasting relationship with your suppliers is through efficient onboarding. A supplier who experiences a professional introduction to your company is left confident in... Read More


Getting started with electronic invoicing (e-invoicing)

We often get asked by a government and corporate customers, 'Where do I start with e-invoicing..?', 'When do I need to be ready for e-invoicing..?', or 'What do I tell me suppliers..?' Read More