Your Industry 

Beware the invoice scammers

Mike Ayres

Mike Ayres

A new study has revealed that the UK’s financial services industry lost almost £93bn in 2018 as a result of invoice scams and more stringent adherence to standards is urgently needed to avoid the situation worsening.

The research by UK Finance also suggests many firms are unaware of the risks posed by this type of fraud.

Among those most at risk of being targeted by scams such as ‘phishing’ attacks, are businesses that hold client money for the purposes of making property transactions, purchasing bonds or other investments, or buying insurance.

These firms often hold large sums of money and may not have considered the possibility that they could be targeted by scammers.

One of the main areas of fraud risk for firms holding client money is insecure email accounts and web-based accounting systems.

Fraudsters are able to exploit any weaknesses they find in such systems in order to intercept key data and cause the transfer of sums of money directly into third-party bank accounts.

‘Phishing’ attacks often involve the use of ‘bait’, contained in a false email that an unsuspecting person might open and respond to.

This email may contain a malicious link, allowing the fraudster to gain access to the firm’s systems.

Alternatively, the fraudster might be able to extract key information from a member of staff, such as a director’s email address and signature details.

Widespread use of email and online banking has led to more sophisticated scams, which involve fraudsters compromising the email account of a known third party, such as supplier, in order to impersonate them and divert payments into their own bank account.

To protect against such attacks, financial advisers and other financial services firms such as mortgage and insurance brokers need to be vigilant and ensure their systems are robust and reviewed regularly.

Seeking certification from Cyber Essentials, a scheme run by the National Cyber Security Centre, will ensure certain standards are met, but it is also important to keep their knowledge and understanding of the latest fraudulent activity up to date.

Specialist fraud-testing firms may also be used to carry out penetration testing and identify areas of potential weakness.

Adopting robust processes and procedures can help to prevent firms becoming an easy target for fraudsters. For example, staff should look out for changes to address/contact details and bank account details that are not highlighted or announced.

Another red flag could be a new bank account, with the same sort code, but a different account number that was not known until the invoice was received. A change of payment terms could also indicate something is not right. 

Staff should be regularly tested to ensure they are alert to possible attacks and receive regular training to ensure they are aware of the latest scams. It also makes sense to segregate duties, so more than one person is responsible for authorising payments. 

Whilst it is a requirement for firms holding client money, all businesses should consider putting in place a Risk Register, which should be reviewed regularly, listing all potential risks affecting their day-to-day operations and the safeguards in place to mitigate them.