One in ten small businesses don’t know the risk posed by invoice fraud.
The findings from UK Finance, reveal that these scams cost firms almost £93 million in 2018.
Last year saw 3,280 invoice and bank mandate scam cases involving businesses. Each loss per case averaged at a staggering £28,000. Thankfully, around £29.6 million of the money lost to invoice fraud was recovered.
Less aware, more at risk
UK Finance’s research found that, out of 1,500 companies, 55% of sole traders were aware of the threat of invoice fraud, compared with 68% of small businesses and 84% of large businesses.
However, large businesses were more likely to take protective measures against these scams. They’re also more likely to have experienced invoice fraud than smaller businesses.
What is invoice fraud?
Criminals pose as regular suppliers and ask for their bank details to be changed, often by email. They’ll then dupe the business owner into sending money into an account controlled by the scammer. On top of that, the fraudsters can ask for other information, like when regular payments are due.
The rights of your real supplier
Julie Hunter, a solicitor specialising in commercial litigation at the law firm, Stephensons, said:
“If you are defrauded in this way, your supplier would be entitled to pursue you for the payment they haven’t received, so you could end up paying out twice. These funds are recovered in only a minority of cases.
“To avoid falling victim to authorised push payment fraud, as it is known, we strongly advise that businesses run a simple check whenever they are asked to change a supplier’s payment details.
“Call your supplier using the original contact details they provided to double-check that bank account and invoice details have genuinely been changed. It could save a lot of money and trouble.”
Why supplier fraud is a real risk – and how to protect your business from it
Neil Robertson, CEO of Compleat Software, discusses how unethical suppliers can bring your business down, and how company owners can prepare for this eventuality.
Cyber attacks, data theft and invoice fraud occur more often than most businesses think. In fact, companies in the UK are falling victim to these crimes every day. The problem is, while there is a lot of talk about cyber-crime in theory, nobody wants to admit to actually becoming a victim.
This lack of communication and knowledge-sharing is incredibly short-sighted. All it does is help the hackers and fraudsters play on people’s ignorance and commit their crimes with surprising ease. Not nearly enough is being done to make business decision makers aware of the real risk of cyber-crime and business fraud. The only way to prepare, is to be aware.
Don’t underestimate the risk
In my experience, many business owners and decision makers are almost completely unaware of the extent to which their companies are at risk. They also don’t seem to understand the various ways in which their business can become a victim. It’s quite scary to think that most business leaders are in fact, ignorant of their companies’ vulnerabilities and the subsequent implications.
It’s not entirely their fault. When a business does fall prey to cyber-crime or fraud, it doesn’t want to publicise the event. Take Uber as an example. In 2016, hackers breached the company’s security and accessed data belonging to 57 million customers and drivers. Uber’s senior management knew about the hack but suppressed the news – until the media uncovered it a year or so later.
Businesses, like Uber, conceal these security breaches out of fear that an instance of fraud will harm their reputation and damage customer and supplier relationships. It’s somewhat understandable. TalkTalk was hit badly in 2015 and watched its profits drop from £32 million to £14 million in just five months. Nonetheless, keeping mum has a knock-on effect that affects the wider business eco-system, and leaves smaller companies open to further attacks.
The government is trying to raise awareness on the subject and has created a resource called Action Fraud. The site publishes information on the risks of fraud alongside warnings and news, but not enough is being done to promote this information to small business owners.
Pay attention to purchase orders and invoice approval processes
Purchase order and invoice approval processes in particular are vulnerable to fraud. Unethical suppliers can simply send in two invoices for the same PO a couple of weeks apart. Each invoice has a different number, so the accounts payable person rarely spots the duplication. The supplier gets paid twice for the one job and if the double payment is eventually noticed, they just apologise for the ‘error’.
Unfortunately, we are aware of quite a few organisations that have fallen victim to supplier fraud in one way or another. Businesses do have protective measures they can consider to improve their security. The first is to apply rigorous manual processes that validate new suppliers and double-check all supplier requests related to a change in company and financial information.
These manual processes do work, however they require a proactive approach to avoiding risk which significantly increases the administrative workload, which in many time poor small businesses, is a concern. In addition, the more manual admin there is to process, the greater the risk of human error. What’s more, implementing these new processes usually requires an overhaul of business processes which can be very costly.
Another approach businesses can look into it the use of purchase automation applications. These are specifically designed to automate purchase order and invoice approval processes and thus stop the most common types of supplier and invoice fraud. This does naturally require a degree of set up and cost, but it also removes human error. And realistically speaking, the cost will be less than that spent paying false invoices for months.
Don’t wait until it’s too late
It absolutely pays for a business to prepare itself to deal with fraud. It’s not a matter of if it will happen, but more a matter of when. Risk reduction is a shared responsibility. Finance teams need to advise their business leaders and clients to adopt best practice, and public institutions need to provide more education that is relevant for businesses of all shapes and sizes.
Most of all though, businesses that are the victims of fraud and attacks, need to share relevant information so that others can learn from their mistakes – and implement the right protective measures.
Neil Robertson is CEO of Compleat Software.