Spoof Invoices: Pay Now, Pay Again

I’m not an accountant, but I deal with invoices all of the time. A fake invoice is often the key piece of paper that can kickstart an investigation. At Kroll we have tracked the alarming increase in spoofed invoice frauds in which the genuine bank details of a supplier or customer are changed and funds unwittingly diverted. These targeted attacks are often harder to spot than the generic spam emails with malicious attachments disguised as invoices or penalty notices.

Sometimes they are combined with spear phishing attacks that use malware to take control of bank accounts and email accounts to facilitate the fraud (see Benedict Hamilton’s earlier post).
All organisations are at risk, not just large businesses. Small and medium sized businesses are frequently being targeted, as well as non-banking organisations such as legal and accounting firms, family offices and barristers’ chambers.

Recent reports in the FT and The Guardian have highlighted the dangers for both large corporates and for individuals. Figures from the Office for National Statistics (ONS) show mandate frauds increased more than any other type of fraud in 2015 (55% year on year) to 4,322 reported incidents in the year to September 2015. The FBI estimates that the average corporate loss is around £60,000, although Kroll has investigated some cases in which victims, including individuals, have lost in excess of £1million.

Our recent experience highlights that many successful attacks originate with a genuine invoice or payment instruction. The new instructions are submitted without the knowledge of the other parties in the transaction chain. The fraud will usually be discovered when the legitimate supplier chases for non-payment, or the customer discovers their funds have disappeared.

By far the most common attacks are the generic spam attacks. These spoof common email addresses, usually for retailers, and attempt to induce recipients into paying for non-existent goods or services.

We have also seen cases where employees have fraudulently changed details for personal enrichment, and even cases where ex-employees have attempted to defraud their former employer. In one such case, a former employee re-sent the previous year’s invoices to the same client with new banking details.

Prevention is always better than cure. Here are some top tips to protect yourself from invoice frauds:

• Keep up-to-date policies and procedures for handling payments and ensure staff are trained properly.
• Be wary of any unexpected invoices or unusual payment requests.
• Disallow domain emails without the correct SPF settings.
• Check that the origin of the instruction is consistent with the supplier or customer’s authentic information, and has not been spoofed. Spoof emails often have a single character changed in the domain name.
• Escalate invoices where the payment details are in a different country to the supplier or your delivery address. Look out for high risk jurisdictions, such as China and Russia, or offshore jurisdictions.
• Validate any change of details through an alternative channel of communication. Options include using secure encryption to communicate financial details, forwarding the invoice to a genuine contact at the counterparty, or confirming the payment instructions either by phone or in person. Do not rely solely on the information supplied with the changed details.

Unfortunately, few cases are ever successfully prosecuted as the funds are rapidly dissipated and moved overseas. The money typically moves from the initial account (which may be domestic or international) through a network of mule accounts before being cashed out. These transfers usually involve one or more cross-border transactions. Common locations include China, Hong Kong, South Africa and Turkey. This poses a challenge for law enforcement, as the traditional mutual legal assistance networks move slowly. Law enforcement agencies around the world are faced with huge numbers of cases and limited expertise and capacity, which means that cases drag on for years, or are not pursued at all. This is changing, however, as law enforcement agencies such as the FALCON team at the Met gear up to tackle the surge in volumes of cases. We expect future changes under the revised POCA regime and the growth of private prosecutions to have an impact too.

Depending on the specifics of the case, there are ways to get the funds back from the fraudsters if you are willing to spend time and money. Civil procedures, such as ex-parte disclosure orders and worldwide freezing orders, can be used to trace the funds as they are moved from one account to another and then blocked from moving any further. Information about the fraudsters and money launderers may be pieced together from a variety of different sources, whether that is the KYC information provided to the banks at account opening, mobile phone data or the IP addresses used to send communications. In some cases, a witness may emerge to provide crucial intelligence about the network’s operation. This can be used in combination with open source materials to identify the key individuals in the network and pinpoint their locations.