Invoice Redirection Fraud: Avoid being scammed or impersonated

There has been an increase in cybercriminals impersonating businesses and suppliers, accessing emails, intercepting invoices, changing bank account details and robbing the invoice amounts from the customer leaving the invoice unpaid with the supplier or business.

What exactly is Invoice Redirection Fraud?

Invoice Redirection Fraud stems from a larger cybercrime called Business Email Compromise where cybercriminals impersonate a business to trick you, an employee, customer or vendor into transferring money or sensitive information.

This is done usually by gaining remote access to an email account or using an email address that appears legitimate and almost identical to the trusted business email address. The cybercriminal then sends what appears to be a legitimate email requesting money or sensitive information.

In the case of Invoice Redirection Fraud, the cybercriminal will send an invoice which includes new updated bank details so payments are redirected to the cybercriminal.

The Australian Cyber Security Centre (ACSC) has developed comprehensive guidance to help organisations protect themselves from business email compromises.

How to avoid paying a fraudulent invoice

It is important to review invoices carefully each time you receive one. The best way to verify an invoice is to check with the supplier each and every time by calling them using a phone number known to you, listed against the business, not the invoice.

When reviewing an invoice make sure you keep a watch out for:

• If it was sent from a slightly altered email addresses.
• Alterations on invoices including low quality graphics or mismatched fonts.
• Spelling and grammatical errors.
• Unusual amounts or descriptions of products and services.
• Different bank account details or ‘how to pay’ information from previous invoices.

To avoid being a victim of Invoice Redirection Fraud, it is recommended you:

• Store supplier bank details in the internet banking payee list or in your accounting software rather than entering in the BSB and Account Number each and every time.
• Introduce processes where only certain people are allowed to change payment details and approval processes when bank details do change.
• Where possible use a business’s PayID and ensure it is linked to the correct PayID holder.
• And again; Verify any bank account changes by phone using pre-existing phone number (known to you, not on the invoice).

How to prevent being impersonated by a cybercriminal

It is important that your business takes the necessary steps to avoid being impersonated by a cybercriminal who may scam your customers, making it harder to get your invoice paid and risk eroding the trust of your customers.

To avoid a cybercriminal impersonating your business you should:

• Secure your email, accounting and other systems with two factor authentication.
• Monitor your network, accounts and communication channels for any suspicious activity.
• Regularly remind your customers about the invoice payment process.
• Educate your staff and customers about the importance of being aware to hackers, scams and cybercriminal activity that could affect your business.
• Set up a PayID using your ABN or a business email address and use these details on your invoicing.
• If your banking details do change, ensure your customers are aware via a robust communication effort to them about the change.

For further information:

ACCC Scamwatch: www.scamwatch.gov.au/types-of-scams/buying-or-selling/false-billing

Australian Cyber Security Centre: www.cyber.gov.au/news/business-email-fast-growing

Australian Competition & Consumer Commission: www.scamwatch.gov.au/news/australian-businesses-hit-hard-by-email-scams

Smart Company: www.smartcompany.com.au/technology/business-email-compromise-scam