Invoice Fraud and Business eMail Compromise – a major threat for 2020

By Dr Debbie Garside, Group Chief Innovation Scientist/CEO GeoLang, The Shearwater Group plc

“54% of businesses are worried about invoice fraud”

Business Fraud is costing organisations up to 10% of their expenditure.

According to the Annual Fraud Audit 2019, [] average losses per company range between 3% and 6% with some as high as 10% of expenditure being attributed to fraud of some kind – overall an average rise from 4% to 7% in 2018.

Encompassing Phishing, Business eMail Compromise and Occupational Fraud, business fraud, as a whole, is on the rise - reportedly costing UK companies in excess of £130bn or 6.1% of UK PLC’s GDP.

There are many factors to consider in business fraud and we take a look at some of the most common risks, including Phishing, Business eMail Compromise and Occupational Fraud and what can be done to reduce the risk insofar as is possible.

Invoice fraud occurs when fake invoices are sent to targeted businesses in an attempt to extract money from companies with vulnerabilities in their accounts payable processes. External fraudsters target companies based on their size and location to narrow down what suppliers they may use regularly, such as office supplies, and cleaning services, etc.

Phony invoices on behalf of these suppliers that look legitimate, except for small discrepancies such as different addresses, are then created.

Armed with the knowledge that most Accounts Payable departments are always playing catch-up, phishing invoices are often sent with a sense of urgency such as ‘This Invoice is 90 days past due’.

To top it off, invoice fraudsters are refining their craft by making the amount of the invoice low enough that it won’t trigger suspicion. For example, if £1000 or £5,000 is within the first approval level, it may be approved quite easily - thereby bypassing your accounting controls such as three-way matching.

Without a thorough investigation, these fake invoices can easily be paid. Large businesses with multiple departments and poor communication can easily be susceptible to substantial amounts of invoice fraud. Whereas smaller companies have less stringent accounts payable processes. By way of example, reportedly a Toyota subsidiary in Belgium lost $37m in a recent BEC attack ( –reportedly the third time a car manufacturing subsidiary has lost significant funds as a result of BEC this year.

Other types of invoice scams to look out for include duplicate invoices and inflated invoices. Fraudsters and dishonest companies often send multiple invoices that charge for services already paid for or raise the price on an invoice higher than that contractually agreed.

Invoice fraud can also occur when a company or organisation is tricked into changing bank account payee details for sizeable payments or even smaller regular payments - criminals posing as regular suppliers to the company or organisation make a formal request for bank account details to be changed.

Although a global problem, SMEs in the UK alone are reportedly losing more than £9bn, representing 4% of UK GDP, as a result of invoice fraud every year; as many as 47% of businesses have received a fraudulent or suspicious invoice in the past year, according to recent research by invoice platform Tungsten Network.

Fraudsters rely on the fact that people who work in finance are busy people and will exploit this in the hope that you won’t notice details that aren’t quite right. A fraudster may send a change of bank details request by post, email, or even by phone. They can also intercept genuine emails containing invoices and change the bank details or send an invoice including new bank details. Fraudsters will often have done their research – for instance having checked a supplier’s website and seen that you are one of the supplier’s clients – meaning the request won’t be completely unexpected.

Invoicing is still very much a manual process and people won’t get it right all the time. If a scammer gets a fraudulent invoice past your finance team once, they’ll chance their arm until you stop paying. It’s not unlike phishing in the sense that once a weak spot has been identified it will be exploited time and time again. What’s more, the rate of invoice fraud is accelerating. Over half of businesses (54 per cent in fact) view it as their single biggest threat – more so than losing a major contract, a member of staff, or competitor activities.

A big contributory factor is the format invoices arrive into a business. Nowadays, an invoice might be a paper document, a PDF scan of a hard copy or totally electronic. It could arrive via post, email, web portal, or uploaded directly to an accounting system.

It could even be a confusing combination of options. As a result, there are multiple ways for criminals to corrupt an invoice or the invoice process and employees need to be ever vigilant.

Invoices are arriving via email don’t always get sent to the employee with responsibility for finance. This means everyone in a business needs to be alert to the potential for fraud and understand their part in identifying something suspicious before sending it on.

We have talked about the external threat actors and how they operate but statistics show that Occupational fraud is also a significant threat to small businesses. These organizations typically employ fewer anti-fraud controls than their larger counterparts, which increases their vulnerability to fraud - many larger organisations have also fallen victim to such fraud with one of the most common factors for not reporting fraud being fear of bad publicity.

Last year London art galleries and dealers in the UK were targeted by an email scamming campaign that managed to defraud victims out of hundreds of thousands of pounds.

Hackers were able to scam art organisations and independent dealers by breaking into email accounts to monitor correspondence with their clients – ultimately syphoning off payments for artwork.

The scam involved hackers intercepting the PDF invoices sent to customers, which were then replaced with duplicate fraudulent invoices with instructions to send payments to a different bank account. Once the money was wired to their account, the hackers were then able to move the money to untraceable locations, thus avoiding detection.

It's thought at least nine galleries in London and the US have been scammed in this way, as well as London dealers.

According to an independent insurance company, the sums lost by art galleries or their client’s ranged between £10,000 to £1 million.

One London gallery said it had been trying to secure stolen payments on behalf of a gallery client for the past 18 months, after criminals intercepted the invoice meant for a customer, and the customer paid the hacker. Another gallery admitted it had been scammed out of "hundreds of thousands of pounds".

While typically not the sort of organisations you would associate with cyber-attacks and hacking the large sums often handled in a single transaction are proving to be a lucrative target for criminals, particularly as many of the targets rely solely on email communication.

Targeting art galleries in this way is quite unusual, in that social engineers typically impersonate CEOs or CFOs in order to move funds. Getting in the middle of potentially huge transactions that normally occur entirely over email is a great example of cyber fraudsters broadening their sights in a bid to take advantage of wherever a weak link lies.

These attacks, known as 'man-in-the-email' or Business Email Compromise (BEC), show us just how successful social engineering tactics can be at extorting money from victims. Part of the resolution to these attacks is available via multi-factor authentication solutions. The first defence is to be sceptical of urgent money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person.

In this case scammers were infiltrating gallery business email accounts to identify when a sale has been made and to whom. Criminals wait until a PDF invoice has been sent to a client, then swoop in and send another email to buyers telling them to disregard the previous email and invoice, and instead paying their bill via wire transfer into the attacker’s account.

Enabling two-factor authentication - also known as two-step verification - on email accounts makes it harder for criminals to break in – but not impossible.

Occupational Contract Fraud
In the UK overall it is estimated that the NHS loses in excess of £1 bn per year as a result of various types of fraud with occupational and invoice fraud forming a significant part of this.

Typical examples of Occupational Fraud involve: Shell company schemes – where a fake entity is established by a dishonest employee to invoice a company for goods or services it does not receive. The employee converts the payment to his or her own benefit.

Pass-through schemes – a employee owned shell company is created, marks up goods and services that are then sold to the employer.

Pay-and-return schemes – an employee purposely creates an overpayment to a vendor then embezzling the refund.

Personal-purchase schemes – an employee orders personal merchandise and charges it to the company, either keeping the merchandise or returning it for a cash refund.

False invoicing schemes can be thwarted by establishing good controls over the vendor-approval process. Segregation of duties ensures those involved in purchasing cannot approve vendors. Before approving a new vendor, its legitimacy should be evaluated by checking vendor credit rating, contacting references, being cautious when PO Box address is used or names comprising just initials and checking that a new business address does not match an employee’s home address. Once these checks are complete a new vendor account should be closely monitored for increases in both amounts and frequency of invoicing. Observing variances from budgets or projections and comparing prices with those of competitor products and services is also advisable initially.

Phishing also plays a significant part in invoice fraud where cybercriminals attempt to steal personal and financial information or infect computers and other devices with malware and viruses with a view to perpetrating a fraud.

Designed to trick you into clicking a link or providing personal or financial information to perpetrate a fraud, phishing is often in the form of emails and websites but can be via text and may appear to come from legitimate companies, organizations or known individuals and may also take advantage of topical news such as natural disasters, epidemics, health scares, political elections or timely events.

Types of phishing include: Mass Phishing intended to reach as many people as possible, Spear Phishing directed at a specific individual using social engineering techniques, Whaling where the hacker impersonates the CEO of a company requesting that an urgent payment is made, and also uses social engineering such as LinkedIn to ascertain when the CEO is out of town, and Clone Phishing which involves spoofing a legitimate email from a forged email address.

Phishing attacks come in many guises – a notification from a help desk or system administrator, an advertisement for weight loss or fitness program serve as ploys to get you to click a link that will then infect your computer or mobile device with malware or viruses even keyloggers for gaining access to your passwords and bank accounts.

Phishing emails with attachments often appear as if they have come from a colleague but the attachment contains malware or ransomware or could be from a credit card company asking for authorization on a transaction – these scams collect your user name and password from fake sites as you try to log in. Fake accounts on social media sites mimic legitimate persons, businesses or organisations with links to online games, quizzes or surveys designed to collect information from an individual’s account for Spear phishing purposes.

Hackers are becoming increasingly sophisticated and it is often very difficult to determine a phishing email. That’s when you need to think about the context and what the email is asking you to do.

Secure Web Sites – Are they really secure?
The security landscape is ever-changing and this is why ongoing employee training is so important. For instance, you could be forgiven for thinking that a web site with a green padlock is safe. The reality is that the security posture of the padlock is not now as one would think. The green padlock indicates that a site uses HTTPS (Hyper Text Transfer Protocol Secure) the secure version of HTTP – the protocol over which data is sent between a browser and the website that you are connecting to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. That’s good right? Well, yes and no. Yes, if the web site is the web site you think it is… No if the web site has been set up by a hacker.

Nowadays additional certificates have been established. The highest level, known as an Extended Validation SSL Certificate, displays the name of the organisation as well as the Country code next to the padlock and before the actual domain name. The EV SSL significantly differentiates the site from others that rely purely on HTTPS.

An EV SSL Certificate is the highest form of SSL Certificate on the market. While all levels of SSL – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) – provide encryption and data integrity, they vary in terms of how much identity verification is involved and how the certificates display in browsers.

During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process (a set of vetting principles and policies ratified by the Certification Authority and Browser Forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate. This verified identity information is included within the certificate, with some pieces, including business name and country, presented directly in the browser window.

No longer is the padlock alone enough to ensure that a web site is safe.

There has been a steady increase in HTTPS phishing websites over the past couple of years, mirroring the transition from HTTP to HTTPS on commercial websites. HTTPS sites are those that have SSL/TLS certificates and display a green padlock next to the URL. The green padlock is generally considered an indicator of site security. But it only confirms to website visitors that the connection between their browser and the website is encrypted. This provides protection against man-in-the-middle attacks by ensuring data sent from the users browser to the website cannot be intercepted and viewed by third parties. This is great if you are absolutely sure that you are on a legitimate web site.

HTTPS websites are now used by a large number of businesses, especially e-commerce website owners. This has become increasingly important since search engines such as Google Chrome provide clear indications to Internet users that sites may not be secure if the connection is not encrypted.

This is all to the good of course, but there is one caveat. Users have been told to look for the green padlock to make sure a site is secure, but the green padlock is viewed by many Internet users as a sign that the site is secure and legitimate. While the former is true, the latter is not. The green padlock does not mean that the site is genuine and just because it is displayed next to the URL it does not mean the site is safe.

If the website is controlled by a cybercriminal, all the green padlock means is that other cybercriminals will not be able to intercept any data transmitted. Any information entered on the website will be divulged to the criminal operating that site. In addition, it does not indicate that information stored on the collecting server is safe and secure.

Unfortunately, free SSL certificates can easily be obtained – potentially turning HTTP sites into what appears to be ‘safe’ HTTPS phishing websites.

According to PhishLabs, in Q1, 2016, fewer than 5% of phishing websites used HTTPS. By Q3, 2016, the percentage started to rise sharply. By Q1, 2017, the percentage had almost reached 10%, and by Q3, 2017, a quarter of phishing websites were using HTTPS. With 30% surpassed around Q1, 2018, and by the end of Q3, 2018, a phenomenal 49% of all phishing sites were using HTTPS – displaying that so trusted padlock.

The secure eMail gateway market is now becoming both highly competitive and effective. However, 1% of emails still pass secure email gateways and impersonation, and thus phishing, is becoming more and more difficult to detect. There are a number of risk mitigation strategies that can be put in place today and many are standards driven - DMARC, DKIM and SPF are a good start – Google automatically enables DKIM on setup. Thought leaders are now looking at flipping the model from seeking bad behaviour to seeking a model for good behaviour and testing against it.

Phishing simulations and training videos on both the internal and external threats related to business fraud drive end user awareness, raising the profile of the problem and what to look out for is the staple of a security conscious organisation’s strategy. Preventative controls such as MFA and geo-locking of online applications such as O365 should also form part of a preventative strategy.

The threat landscape and attack vector will continue to evolve and change apace. Phishing, Business eMail Compromise and Occupational Fraud are here to stay for the foreseeable future as they are lucrative sources of income for criminals. How is your organisation ensuring you don’t get caught!