Invoice Redirection Fraud: How to avoid being scammed

There’s been an increase in cyber-criminals impersonating businesses and suppliers, accessing emails, intercepting invoices, changing bank account details and taking payment.

The losses being experienced by businesses are significant – they range in value but are generally high value transfers that are being targeted by the fraudsters.   Recently, we’ve seen reports of the re-direction of $500,000, which was to be transferred to a conveyancer to facilitate the purchase of a property; approx. $200,000, which disappeared overseas when it was supposed to pay a supplier of fencing products; and $65,000 which was diverted into a new bank account when it was supposed to be transferred by a car dealership to pay a supplier.  All of these were transferred to scammers by persons who thought they were paying a legitimate invoice

What is Invoice Redirection Fraud?

Invoice redirection or ‘middle man’ fraud is a subset of the larger crime called business email compromise.  It involves hackers impersonating a business to trick a person into transferring money or sensitive information.   It’s done in a number of ways, such as by gaining remote access to an email account (through malware) or using an email address that looks legitimate and similar to a trusted business email address.

The hacker either intercepts a conversation between a payer and payee and re-directs the payment to a different account, or the hacker instigates contact with the payee and provides new account details, either within the body of an email or by changing the payment details on an otherwise legitimate invoice. It’s super sneaky and dodgy!

How to prevent business email compromise?

It is important to review invoices carefully each time you receive one, and watch out for:  

  • The email address used to send the invoice or communication – does it match the corporate website?
  • Alterations on invoices including low quality graphics, or different fonts in the same document.
  • Spelling and grammatical errors.
  • Unusual amounts or vague or strange descriptions of products and services.
  • Different bank account details or ‘how to pay’ information from previous invoices.

If you are paying money into a bank account that you haven’t used before, call the payee or the Company on its main switchboard number to confirm the details.

How to eliminate hackers of your payments

  • Enable two factor authentication on your email, accounting and other systems.
  • Monitor your network and accounts for any suspicious activity.
  • Educate your staff and customers to be aware of hackers, scams and criminal activity that could affect your business.
  • Set up a PayID using your ABN or a business email address and use these details on your invoices

Key Takeaways

  • Be vigilant in all communications regarding the payment of money – either to or by your business.
  • It can happen to you – anyone who transfers or receives money is at risk!
  • Be clear with your customers as to your bank account details and the invoice payment process.
  • Store the bank details of your suppliers in your internet banking payee list or in your accounting software, rather than entering in the banking details each time you pay an invoice.
  • Set up a process that must be followed when you receive a request to update the bank details you have on file.
  • Define roles in your organisation – specify who is allowed to change payment details.
  • Where possible use a business’s PayID and ensure it is linked to the correct PayID holder.
  • Verify any requests to change bank account details by phone using a pre-existing and known phone number or the Company’s switchboard – do not rely on any contact details on an invoice.

If you’ve been the subject of a business email compromise or invoice redirection, give our business lawyers a call.  We can help you work out your legal rights.