Invoice fraud is costing business millions of pounds every year, and although it’s not a new problem, the situation is getting worse. The fraudsters are targeting businesses because they realise they can get more money from a business than a personal bank account.
They have learned 3 things:
1.) People are the weak link in any system as they make mistakes;
2.) Companies payment systems and controls are not as robust as they could be;
3.) Businesses have taken data security more seriously in recent years forcing fraudsters to go back to the old ways of a basic scam, and attack the lack of controls in finance departments.
The most damaging attack for a company is paying duplicate invoices. Fraudsters will target a company posing as an existing customer and send a request for them to change their bank details. They will send an invoice in that has already been paid and hope it gets paid again to the new account.
Once an invoice has been paid again there is little chance of getting the money back, but it’s not just the cash implications that cause damage to a company. They may well fall foul of an HMRC inspection as the businesses would have reclaimed VAT on a fraudulent invoice and would be at risk of penalties, interest and possible fraud investigations. Such an investigation would ask “did the company do as much as they could to prevent the fraudulent transaction” and quite clearly they didn’t or it wouldn’t have happened.
You may well think “no-one in our finance department is that stupid” but fraudsters are clever, they build relationships with people in the accounts department, gain their trust then when they think their defences are down, they pounce. With a huge number of invoices being processed and an overworked finance team, a duplicate payment could slip through unnoticed. But it doesn’t stop there. If a fraudster gets away with it once, they’ll keep exploiting that weakness until they get found out which could be several duplicate payments down the line.
1.) put in place robust controls and procedures and test them regularly to ensure they are still working and suitable;
2.) make all finance staff aware of the potential for fraud and how it may present itself to them, particularly duplicate payments;
3.) if suspicious looking invoicing requests are received, inform all relevant staff particularly sales teams who are out in the field and customer facing;
4.) inform the customer and warn them of the potential fraud;
5.) upon receipt of a bank change request from an existing customer, ring them and confirm the request is valid to ensure you “keep your records up to date and to ensure prompt payment”;
6.) if you get repeated requests inform the local police.
Paying duplicate invoices can be as damaging to a business as fraudulent new invoices being raised, because it is usually existing customer accounts that are targeted with whom the business has a trusted relationship. Develop a culture in the finance department that constantly looks for unusual request, so if something doesn’t look right staff can feel comfortable going to their boss and say “this doesn’t look right”, without being made to feel incompetent or a trouble maker.