How to protect your business against invoice fraud

07/02/2023

You’ve probably received one: an email which lands in your inbox informing you of a change to a supplier’s bank details. It appears to be genuine, but do you know for sure?

If it isn’t, that single email could cost your business thousands of pounds – and, by the time someone realises, the money could be gone forever.

To the untrained eye, invoice fraud and invoice redirection scams can be incredibly convincing – so much so that a UK Finance report from last year revealed invoice fraud totalled £56.7 million in 2021, with an average loss of over £14,000.

The risk is heightened further when we’re so busy trying to juggle our day-to-day tasks. It can be easy to forward a fraudulent invoice internally, which the recipient may construe as an instruction to process for payment without due care.

In this article we explore what invoice fraud looks like in 2023, and how you can protect your business against it.

What is invoice fraud?

Invoice fraud and scams come in a number of guises, but each one has the intention of tricking you or an individual in your business into paying a lot of money to someone you’ve never dealt with.

They typically involve criminals contacting a business by email or telephone, posing as a regular supplier, to request that their bank account details are changed. It may be that an invoice is sent with new bank details on. The business is then tricked into sending money to an account controlled by the fraudster rather than the genuine supplier.

In the past the biggest threat came from fraudsters sending a fake invoice across in the hope it would get processed for payment. While this still happens, it is usually relatively straightforward to spot. Today, the people behind invoice fraud are increasingly sophisticated, and are often able to gain information that makes their approaches even more convincing, for instance the date payment is usually made to suppliers.

While you yourself might understand the dangers and signs something’s not quite right, it’s important each employee is aware of the risks and steps to take to identify potential fraudsters – and that there are suitable processes in place to protect your business.

How to protect your business from invoice fraud

1. Verify changes in bank account information

Whenever you are notified of a change to a supplier’s bank account details, always confirm this directly with your supplier. Do this by telephone on the number you hold for them, or failing that the number from their website or past official documentation. But never reply to, call a number on or click through on the email you’ve received notifying you of the change in details, as you’ll typically reach the fraudster or be directed to a website they have created.

Should you be contacted by telephone, call your supplier back on the number you have for them (not the one they just called on, unless it’s a match) to confirm it was them.

Regardless of a change of bank account details, whenever you receive an invoice it is good practice to always confirm any bank account details directly with the supplier by telephone.

2. Scrutinise the email

The email you’ve received may also provide some tell-tale signs that something’s not right. First, look at the sender’s email address (not the display alias). Just like with phishing emails, the sender address may closely resemble but not match your supplier’s email convention or domain.

Similarly, if you hover over (but don’t click) any weblinks contained in the email, you’ll be able to see the URL that link is directing you to. Again, this may reveal the domain is different to your supplier’s website. Be mindful, however, that some fraudsters will include genuine links to your supplier’s website to make the email appear even more convincing, so even where this all looks correct it shouldn’t be confirmation the email is bonafide.

3. Always check if suppliers are legitimate

Whenever you source a new supplier, it is essential to verify who you are doing business with – just as you should when accepting orders from new customers. There are a number of precautions businesses can take to assess whether their suppliers are legitimate, including checking they’re registered at Companies House, verifying endorsements and scrutinising their website.

Remember, though, it’s not always sufficient to check this information once. Sometimes fraudsters rely on your familiarity with invoices, and small changes such as an email address that now ends in .org instead of .com will often go unnoticed. Again, checking this information each time you process an invoice can highlight suspicious activity at an early stage.

4. Train employees to spot fraud

Fraudsters find clever ways to con businesses and their staff. By educating your employees on the different types of invoicing scams and indicators of fraud, you can help to protect your business. Key things to look out for include:

• A blurry logo – often a result of fraudsters scanning legitimate letterheads
• A change in account numbers – does the font styling match the rest of the invoice?
• A change in contact information – encourage employees to always verify contact details
• Round pound value invoices – invoices in even amounts should be an automatic red flag
• Duplicate invoices – have you already received/paid this invoice?

5. Pay suppliers electronically

Wherever possible, pay your suppliers by electronic transfer in order to utilise your bank’s Confirmation of Payee (CoP) service. This is a name checking service for UK based payments which provides greater assurance to customers (both personal and business) that they are sending payments to the intended recipient.

It works by checking the account number and sort code against the account holder’s name, and informing you whether it’s a match, close match or the information doesn’t match at all.

6. Put watertight processes in place

It’s important to implement company-wide policies and processes on how to act in certain situations to reduce the risk to your business. For example, invoices should only be approved and processed for payment on direct instruction by senior management.

Every invoice should also be checked for any of the red flags mentioned above; any change of bank account by a supplier should always be verified by a channel other than email, and you should report all suspicious activity to the bank in order to block transfers. These procedures should be explained to your staff and strictly adhered to at all times.

7. Utilise technology

When your business deals with paper documents it can be hard to spot inaccuracies or unusual activity because there is so much paperwork to sift through. By digitising your accounting system and invoicing process, you can reduce the risks to your business and easily check whether invoices have recently been paid to the same supplier, which could be a sign the latest invoice is fraudulent.

Another benefit of this is that all your supplier data will be stored electronically in one place. This will make it easier to regularly review supplier lists, make sure information is up to date and highlight any of the red flags mentioned above. By doing this you can minimise duplicate suppliers, limit payment errors and ultimately save your business countless headaches and money.