Fraudsters and criminals are always looking for soft targets. Hundreds of years ago, defenseless people were held up on highways and told to hand over their money. Fast forward to today, we have new ways of having money stolen from us. One way is for the fraudster is to look for businesses with weak defenses against fake invoices. The end result is the same as the highway holdup. They want to relieve you of your money.
What can you do to protect yourself against these people? You have to get some training to better defend yourself against the tactics that they use. You, and your company, need to know when a fake invoice has been sent your way.
What are fake invoices?
A fake invoice is an invoice for products or services that your company has not ordered or authorized. Fake invoices can be broken into two groups. The first is for an invoice for products and services that do not exist. The second is for products or services that do exist but you never ordered them. This includes things that have been sent to you unsolicited (they just turned up on your doorstep).
Fictional products and services
These invoices are for products and services that have or will never exist. An example could be for domain name services – excluding invoices from your legitimate domain name provider that you do business with.
For some these invoices, the information on them will be generic, however you need to watch out for more highly targeted fake invoices. Your attacker (the fraudster) may have used social media or other sources to customize the invoice with realistic content. This is done in order to make it harder for you to detect that it is a fake.
Unsolicited products and services
These invoices are for products and services that have been delivered to you but you never requested or ordered them. Magazines turning up on your door unrequested is an example. Leaving aside mistaken deliveries that have been sent to the wrong address, any thing that is sent to you without your request is unsolicited. The same principle applies to services. An example of an unsolicited service is an unrequested report or business analysis.
The problem with unsolicited products and services is that you may not, indeed often not, need them. A supplier may use this tactic to try to increase sales, but it is highly disrespectful of you, the potential customer. Where the tactic really crosses the line is where the supplier uses high pressure sales techniques to extract payment. This can involve them misrepresenting your need to pay them (you don’t have to), making threats or other kinds of unpleasant behavior.
The general principle holds that if you receive unsolicited products and services, you are not required to pay for them. In some jurisdictions, the unsolicited product or service is yours outright. In others, you may have to hold it for a period of time to allow the sender to recover it.
Defenses against fake invoices
You are not at the mercy of fraudsters and their fake invoices. A fake invoice only becomes a real problem if you pay it. You defenses against fake invoices involve you detecting that an invoice is fake and you not paying it.
1/ Considering context and being skeptical
Your first starting point with invoices is what is the invoice for? Do you understand what is being invoiced? Are you aware of when you might have actually purchased the goods or used the service? You then compare that with what you are being invoiced for and who is invoicing you.
A key human behavior that the fraudster seeks to exploit is habit. If we are invoiced, it is human nature to presume that the invoice is legitimate. You need to approach invoices with a skeptical eye. Is what is being invoiced sensible?
2/ Being careful on social media
It has been said that social media, such as Facebook and Instagram, are an intelligence service bonanza. Users of these platforms can access a great deal of information about many people or companies. Information about you can be posted by you, but also by your social media “friends”. These friends then control how else can access that information.
Information about a company can be posted by on a company page. It can also be posted by employees of a company as they go about their day to day lives. This could be, for example, an employee talking about a business trip with potential suppliers. A fraudster could use such information to create a fake invoice about related “consulting” – consulting that never actually happened.
Another example could be a fraudster learning about large projects your company is involved in through social media – eg building a new office. A fake invoice for some aspect of that project – eg building materials – could land in your inbox.
You can protect against these fake invoices by being careful of what you post on social media. If you are also skeptical about invoices in general and have an awareness of what is posted on social media by others, then you will be more prepared if a related fake invoice comes your way.
3/ Looking for bank account switches
Fraudsters can take advantage of detailed knowledge of your affairs by creating invoices that very closely match legitimate invoices that you are expecting, but changing payment details. This fraud can and does occur with larger and more unusual expenditures.
These invoices can be very dangerous because they look legitimate. Advanced frauds can be very sophisticated with invoices that look professional and the details – apart from the payment information – is correct. If you fail to detect these frauds, you will only find out when your supplier complains that you have not paid them. You then find you paid an unknown third party!
You should check payment information for large invoices. Is it the same as previous invoices? If you are unsure about anything, check payment information directly with the supplier’s accounts receivable department.
Social media has been a contributing factor with this kind of fake invoice. As discussed above, be careful about what you post on social media.
4/ Using purchase orders
Purchase orders help you track what you ordered or buying. You can then cross check invoices against them and this will help you sort any fake invoices from the genuine.
What are purchase orders?
Purchase orders are documents that look a little like invoices. They list your company details, your supplier’s, and then have a series of line items that specify what you are ordering.
Purchase order policy
Purchase orders are a control. They act to allow you to control how your organization spends money. Specifically, you need to decide when you will use purchase orders and when you won’t. For example you could decide that all major company purchases are only on purchase orders. You would only exempt smaller purchases through petty cash or on employee expense reports. It then follows that all other expenses will be unauthorized. As a result, any invoice you receive outside of your petty cash or employee expense reports must be associated with a purchase order that you have previously issued. If you receive an invoice without a purchase order with this policy, you are in a heightened state of awareness.
Practically, you need to decide what you do in an exceptional case when you receive invoices for which there is no purchase order. You will need to consider how you organization can deal with the circumstances better in future If there were legitimate reasons. You never want it to become routine that invoices don’t have purchase orders.
Matching invoices with purchase orders
When you create a purchase order, your accounting system should generate a purchase order number. Accordingly you can require your suppliers to include this number on invoices that they create. As a result if you receive invoices without a purchase order number, ask your supplier to correct these invoices.
You can compare the invoice with your purchase orders. Do the items on the invoice either match or have a close relationship with those on the purchase order?
When you have several outstanding purchase orders open with your supplier, ask that they send separate invoices for the different purchase orders. You are likely to find that they will comply with these kinds of requests because it helps them get paid.
5/ Looking for suspect payment methods
Think about how you pay for things. You will pay using cash, credit/debit cards, checks (physical or e-check) or electronic bank transfers. How often do you pay for things using wire transfers or transferring a gift card?
If the invoice asks for a gift card as payment, ring the supplier. You can either confirm such requirements with the supplier, or better yet, insist that they accept payment using conventional means.
Paypal is a popular online payment method. Paypal payments are associated with email addresses. When paying your supplier via paypal, check the email address of the payee. Is it what you expect? Suspect email addresses may have extra parts to the domain, like: firstname.lastname@example.org If you are expecting expected.address.com but not extra.65ghhiisd.ru, then don’t pay in response to this email.
The highwaymen of old held up people with weak defenses and relieved them of their cash. Fraudsters in the modern world are looking to relieve you and your business of your cash. We’ve seen one key tool that they use is the fake invoice. In spite of this, a fake invoice can only hurt you if you pay it. This post has armed you with five things you can do to improve your defenses against fake invoices. They are:
- Considering context and being skeptical
- Being careful on social media
- Looking for bank account switches
- Using purchase orders
- Looking for suspect payment methods
If you consider these five tactics, you will be better positioned to not be taken in with your next fake invoice. Any other strategies, feel free to leave in the comments.