Supplier Invoice Fraud – What are the signs?

By Joshua Gambrill
IT Manager
13 October 2021
  • IT

Costing businesses millions of dollars every year, Supplier Invoice Fraud is becoming one of the most common cyber scams worldwide. According to the Australian Competition and Consumer Commission (ACCC), Australian business lost over $128 million to business email compromise (payment redirection scams) in 2020 alone. Supplier invoice scams fall directly into this category and are very dependent on people, and with any system reliant on people, the vulnerability to a range of social engineering attacks is heightened.

What is social engineering?

Social engineering is a blanket term for a range of attack methods aimed at tricking a person into doing something or providing information they shouldn’t. The most common modern examples are emails pretending to be from a legitimate sender asking you to open an attachment (phishing attacks) or phone calls pretending to be from the ATO or Police (voice phishing).

What is supplier invoice fraud?

Supplier invoice fraud involves the attempt to intercept or create a legitimate looking invoice to direct payment an attacker’s account instead of the legitimate recipient. There are two types of supplier invoice fraud:

  1. Impersonating a supplier to steal from a business;
  2. Impersonating a business to steal from a supplier.

The attack is very similar for both types, the basic steps are:

  1. Find a target business or supplier.
  2. Register a domain which is very similar to the target - for example pkf.co or a domain which would be believable to an accounts department - for example pkfaccounts.com.au.
  3. Contact the accounts department of the target via the fake domain and request an update to the banking details.
  4. When the payment arrives in the attackers account move the money to an overseas account or to a digital (crypto) currency which can't be recovered by the Australian authorities.

These attacks are often successful because the systems rely on people as part of the process. Even in the most modern ERP system where much of the accounts payable and accounts receivable processes are automated, there are still people required to update details as businesses make legitimate changes to banking details, addresses and phone numbers.

There is a similar attack method which involves gaining access to a legitimate mailbox within a business and using that mailbox to perform the same attack but using all legitimate details. This is obviously a bigger issue for the business which is victim to the mailbox attack but this might be a small part of the larger attack on that business and be overlooked in the remediation effort. Suppliers to that business may continue to receive illegitimate invoices from the business for some time after the compromise is found and fixed.

What can I do to protect my business?

Banks and other finance organisations generally have processes in place to refund and recovery money lost in these kinds of attacks however, the process can be long and your business may be out of pocket until the investigation is concluded.

Businesses should ensure they have processes in place to verify the legitimacy of any request to update details, especially bank and finance details. In addition, the ability to update finance and banking details should be restricted to only those in the business who require it.

Finally, ensuring multi-factor authentication is turned on for all email accounts can help to protect against email account compromise.

How can PKF help?

PKF have experience working with businesses of all sizes and types and can assist to ensure your policies and procedures are adequate to protect against these kinds of attacks. PKF can also assist to review technology and systems in place within your business to ensure they are fit for purpose, as secure as they can be and work with you to close any gaps identified.