“The money’s the same, whether you earn it or scam it.” Bobby Heenan
Invoices can be a costly matter and not always in the usual sense.
Cybercriminals believe that you would have a hard time spotting fake bills, which is why they’re increasingly using them as part of their cyberattack repertoire.
Let’s look at the following example of how a scammer duped a woman into paying over $75,000.
One customer in Perth was reportedly sent an email by Tesla with an invoice for around $75,000 to purchase a Tesla Model 3.
That invoice was then intercepted by hackers, and the bank details changed.
The customer unknowingly paid the money to a fraudulent bank account listed on the invoice. The same happened to another customer in Sydney last December 2020.
Tesla customers are not the only victims. Invoice scamming is becoming more common.
Here is an example of how Google and Facebook were milked out of $100 million in fake invoices.
A Lithuanian man and his associates found a bold way to steal from Facebook and Google – They asked for money via email.
More specifically, they sent fraudulent invoices to the California-based tech giants.
The invoices were good enough to persuade Google, which Alphabet owns, and Facebook to wire a total of more than $100 million for them from 2013 to 2015.
Cybercriminals understand the power of “brands” and will take advantage of well-known vendors since they provide credibility, authority and trustworthiness.
For example, many Apple users received fake iTunes bills for purchases they didn’t make.
Cybercriminals duplicated an authentic Apple email and placed their company’s logo on the invoice, making it difficult to determine whether it was legitimate or fake.
These scams are often so successful because they feature common items.
Products such as computer supplies are mentioned on the bill, a product so ubiquitous in many people’s budgets that it causes the recipient to automatically proceed with the payment.
Also, fraudsters conduct thorough research to make sure they’re sending the fake invoice to the right person, that is, someone who has the authority to pay but who’s unlikely to verify the purchases.
How Do These Attacks Work?
Many versions of the invoice scam have been reported, but the general con remains the same.
Cybercriminals attempt to find contracts and names of suppliers providing goods to a particular company.
They impersonate a legitimate supplier and send bills to subordinate personnel.
They try to solidify their efforts by sending fake letters that claim to come from the actual supplier’s designated bank.
Fake invoice scams take advantage of the fact that the average email user or someone handling administrative tasks for a business may not know whether any product or service has been purchased.
Strapped for time, recipients either quickly decide due to payments or delegate duty for cutting checks to a lower-level employee who doesn’t have the means to cross-check with the vendor.
Perhaps the most intimidating is an invoice from a local, state/provincial or federal government agency for some kind of local fee, tax, or other official assessment required to stay in compliance with the law.
These are sometimes stamped “Past Due” or are accompanied by threatening phone calls.
How To Spot A Fake Invoice Scam?
How do you know if the invoice is legitimate or fake? Here are some red flags:
Urgency – Have you ever received an invoice where you weren’t given a lot of time to make payment? Fraudsters are masters at creating an emotional reaction to try and get you to act. Most people want to do good work and fix problems quickly. These are great qualities to have, but they can easily be exploited. If you are in a hurry, you are more likely to make a mistake or miss the scam. This is what cybercriminals are hoping for.
Threat – Another form of urgency is a threatening invoice that looks like it comes from an authorised institution such as the Government, the Police, the Tax department, legal company, debt collectors, health organisations, financial institutions and others.
Similarity – You may get an invoice with an email address that is very close to your actual supplier’s address but with a few symbols or letters changed (for example, @app1e.com rather than @apple.com).
Confusion – Fake invoice scams often fail to clearly state what the bill is for.
Verification details – To prevent verification, phishers exclude contact information or claim that they have limited phone coverage.
Company details – Another red flag is the incorporation date of the company. If the company was recently established and those running it say they had issues with previous business operations, there’s a good chance that the invoice they sent is fake.
Communication – Scammers will use all of their communication vectors to target victims – email, websites, phone, and text messages will try to coerce and trick you into doing something that you shouldn’t do.
How To Protect Yourself Online Shopping Scams?
There are several ways you can avoid becoming a victim of fake invoice schemes. The next time someone sends you a bill, make sure to take the following measures.
Create effective communication channels so payment requests can be verified. For example, ensure personnel can ascertain any invoice from the issuing company by feeding contact data (email, phone number, etc.) into a CRM.
If the invoice is relatively large, then reach out to the vendor and confirm the invoice and bank account details are correct.
Review every email address carefully, especially those dealing with invoice-related matters.
Keep an eye out for frequent billing reminders. Fraudsters will send more reminders than a legitimate vendor.
Prevent invoice build-up to make it easy for authorised approvers to spot discrepancies. If the person in charge of payments has to clear 200 invoices instead of 20, the authorisation will likely be done in a rush. Try your best to clear the backlog so your employees can spend more time determining whether a bill is authentic or fake.
If the sender claims that the bank details have changed, verify using alternative communication. For example, if the sender sends you an email, then use the phone to confirm.
If the sender claims that there has been a change in business practice, check how previous invoices were issued. Were previous bills posted via regular mail while this one is emailed? Were previous payments done via credit card, but now they want you to make a bank transfer?
Don’t be pressured into clearing payment. Adversaries may try to inject FOMO (fear of missing out), for instance, by saying you won’t get a discount or free shipping. Genuine suppliers will understand that it can take a while for a company to clear an invoice.
Consider combining employee IT training with phishing simulation programs where you teach staff how to identify and prevent fake invoice schemes.
Unfortunately, what is clear is that such scams will continue to happen if businesses send invoices via email with bank account details.
Invoices should be carefully analysed before they’re cleared or approved for payment.
Oversight on your part may result in you losing your hard-earned money or damaging the reputation of your company.
Fortunately, fake invoices can be avoided if you take some proactive measures such as reviewing invoice details carefully, checking the issuer’s history, and providing robust training.