Whilst being duped by fake or duplicate invoices remains a concern for many businesses, according to recent research businesses remain exposed to such risks, with a failure to ensure that invoices always come in to the same place before being approved and an ‘it won’t happen to me’ attitude cited among the main reasons.
The research, conducted for cloud expenses company Concur, examined the supplier invoicing practices of 5000 companies. They found that over one fifth of businesses had received fake invoices, while 3% of businesses admitted to actually paying falsified demands.
‘Little hope’ of getting money back
Commenting on the study Chris Baker, UK Managing Director of Enterprise at Concur said:
“If only 3% know they’ve paid a fraudulent invoice, how many more companies have absolutely no idea and have paid, or are still paying, fraudulent invoices?
“Once companies have paid the invoice, there is little hope of getting the money back, but it’s not just about the initial outlay, businesses will be falsely reclaiming VAT and are at risk of penalties, plus investigation if HMRC deems that their processes are at risk.
Katy Worobec, Director of Financial Fraud Action UK (FFA-UK) added:
“Criminals target businesses because they know successfully scamming a company can potentially net them far more money than they could steal from an individual.
“Fraudsters know businesses are used to processing many kinds of payments and so a simple request to change invoice details or provide financial information has a chance of deceiving an accounts department.”
Fraudsters back to ‘tried-and-tested’ techniques
David Clarke, trustee director of the Fraud Advisory Panel believes that invoice fraud is changing because of the measures many firms have put in place protecting data and security. He said, “Fraudsters have gone back to old tried-and-tested techniques like social engineering, with humans being the weak link. If you can’t bribe an insider then try to get people to trust you,” continued Clarke, “and then you can hit them with ‘we’ve just changed our details’ or ‘moved our account’. People are often just too busy to notice. The change has come about because other measures have been successful, so they’ve now got to get clever and go back to the old methods.”
(Social engineering is defined as a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.)
Concur’s Chris Baker added: “The fact is that invoicing is still very much a manual process and people won’t get it right all the time. If a scammer gets a fraudulent invoice past your finance team once, they’ll chance their arm until you stop paying. It’s not unlike phishing in the sense that once a weak spot has been identified it will be exploited time and time again”.
Call back, share information
To avoid falling victim to the fraudsters Katy Worobec from FFA-UK recommends you should “be on alert if you receive a call or email out of the blue asking you to update any payment details. If you’re ever in doubt about a request or an invoice, ring back the company on a number that you know and ask to be put through to a person who you have spoken to before.”
“The villains actively look for someone who’s gullible,” said Fraud Advisory Panel’s David Clarke. “If you have measures in place they move on to the next business. Firms that are savvy about this pick up on it quickly.
“Put information out regularly, I recommend weekly or monthly meetings for anyone in a customer-facing role to share information about potential attacks with members of staff. You don’t have to go on a half day training course to learn this.”
Duplicate payments among ‘deepest concerns’
The Concur study also found that one in three organisations are aware that they have paid duplicate invoices. This issue becomes more widespread as organisations grow, with 59% of firms employing over 1,000 people admitting to paying duplicates.
Even with smaller SME’s employing less than 50 people, including I might add ‘one man bands’, the percentage that have paid duplicate invoices is still at a worryingly high 21%.
Duplicate invoices were considered more worrying than fraudulent ones, with 34% of respondents citing duplicate payments among their biggest concerns, while only one in five of those surveyed list fraud as a concern.
If you would like more detailed information on some aspect of UK Tax, send me an e-mail and I’ll be pleased to advise further.
David Jones is the Senior Partner and Founder of Morgan Jones & Company. Born in Liverpool and an Accountancy graduate of the University of Wolverhampton, David spent twenty years working for the Customs & Excise in London then Shrewsbury before starting his own business. David's depth of knowledge of the UK tax system and his ability to communicate this learning has seen Morgan Jones & Company grow into Shropshire's most respected Accountancy Practice.