Cybersecurity Ventures is predicting that by the end of this year global cybercrime costs will top $10.5 trillion USD. This is an astronomical rise from the still staggering $3 trillion USD in 2015. The reasons are multifold, our growing reliance on smartphones and digital banking; digital literacy challenges in many of the demographics targeted (such as older people), as well as the rising sophistication of AI tools. And no groups are sheltered from attack.
Companies, in particular, are increasingly becoming victims of invoice fraud, for example. A study conducted by Forbes in 2022 found that in the 2,750 businesses surveyed more than 34,000 cases of invoice fraud were uncovered in the space of a year. In one UK case alone, two fraudsters were jailed for faking over £1 million in invoices.
We sat down with Valerija Jerenkevic, Fraud and Regulatory Compliance Manager at ConnectPay who explained just how invoice fraud is conducted. We were also lucky enough to chat to one of Valerija’s colleagues, Tomas, who is responsible for running a novel social engineering simulation inside the organization.
So, what exactly is Invoice Fraud, Valerija?
Of course, this isn’t a form of invoice fraud that’s common with private individuals. It’s normally targeted at accounting staff, administrators, or management. Let’s consider two scenarios. In the first one, fraudsters gain access to the company email and can do whatever they want.
For example, I might be expecting an invoice from a legitimate partner. They send me that email, but fraudsters who have already infiltrated my email system see it too, including the IBAN number where money should be transferred.
The second scenario occurs when the company is searching for new partners. I might find someone unknown to me who offers attractive prices and services. I believe they’re legitimate, but after making payment, I discover it was a fraudulent company run by scammers. Naturally, I never receive any services from them.
But how does this happen, aren’t companies protected from these kinds of threats?
You’ll find that most of the time these kinds of things are conducted through phishing emails or SMS messages. You receive a phishing email at your company address, you click on a suspicious link containing malware that isn’t visible to the naked eye. Only specialized IT system scans can detect it.
The problem with a lot of this stuff is that it depends on your people being vigilant at all times. Not only that, your employees need to know what to look for. That’s why training for employees is essential. When it comes to bringing in new partners or suppliers, you also need to be really careful. You need to verify their legitimacy by checking if they have a proper website or by scheduling video calls with them
When receiving invoices from longstanding partners, I recommend implementing a four-eyes principle for payment approval. In this situation, as an accountant, I would enter payment information and approve it in our online banking system, but then a second person should also verify and approve the payment, double-checking that the account details haven’t changed.
In addition, when it comes to known partners, compare the current invoice with previous ones to ensure the account numbers match. If the account has changed, halt all transactions and contact your partner directly to verify. Ask whether they actually changed their account and why, confirming everything is legitimate. That’s the primary safeguard.
Is there anything else that a company can do to protect itself?
Here at ConnectPay we run fraud simulations on a semi-regular basis. My colleague Tomas would be more than happy to fill you in.
Hi Tomas, can you tell us a little more about your social engineering exercise?
Our team is focused on running external social engineering simulations, particularly phishing simulations, and we do this on a monthly basis. We send randomized phishing tests to our employees, which includes the kind of the email compromises you typically see, as well as fraudulent invoices with malicious attachments. We use emails that people might encounter in real-life scenarios. For example, notifications or requests that appear to come from the banks our company uses, or we send fake emails that seem to come from managers or the IT department.
When they report these suspicious emails to us, we provide positive feedback, confirming that they’ve correctly identified a malicious email. And in those situations, where the link is clicked on or an attachment opened, we reach out and discuss what went wrong.
Unsurprisingly, we’ve observed that most clicks on these phishing tests come from our newer employees who haven’t been thoroughly trained yet. To address this, we’ve implemented additional phishing training specifically for newcomers. It’s also helped us to see what kinds of scenarios might prove the most problematic.
So, education and training are key to improved security?
Absolutely correct. So, in light of these checks, our CISO now provides new employees with an introduction to security, focusing on phishing threats. Here, real case scenarios based on actual phishing attempts reported by our colleagues are discussed, so that our people are given real world examples that they can relate to. Additionally, Valerija conducts separate annual phishing awareness training sessions.
We train employees to identify suspicious triggers like wrong links, urgent language, or misspellings. This is the kind of thing that employees need to look out for.
Valerija, what do you think the value of fraud simulations really is?
Well, of course I’d agree with everything Tomas has to say. What is great about this initiative is that it not only helps us to perform a strength test on just how vigilant we are as a company against these threats, but also shows where we need to educate our people more.
My final advice to all companies out there, is that if you want to protect your business, you need to be always proactive, because if you’re only ever reactive, sooner or later your business will be one of cybercrime’s victims.
