With more than £236m reportedly lost last year in the UK [1], authorised push payments (APP) fraud is sadly on the rise. It sounds complicated, but the meaning is very simple – it happens when someone makes a payment at a payee’s request, but are tricked into paying the wrong bank account. Fraudsters do this by hacking email accounts or intercepting invoices.
Thousands of UK businesses and individuals are defrauded this way each year, with people losing an average of £3,000 each time, and businesses more than £21,000. Some estimates suggest that, with many cases being unreported, UK small and medium enterprises could be losing as much as £9bn a year to invoice fraud alone[2].
Let’s bring this to life
Imagine that you own a marketing agency and, after much hard work, your business secures a new contract. You pass all of your client’s compliance checks, allocate the resources, deliver the work, and send the invoice. But there’s a delay. You wait, then ask.
Your client’s finance department proves that the payment was made two months ago. But where’s the money? Shock and horror: the account number in the invoice they paid is wrong. Somewhere in the world, the payment for your work is already footing some criminal’s bills.
Second example. You’re having building work at home and the builder sends you an email asking for a payment for materials. You make the payment to their account but a few days later they call you chasing for the payment, as work is due to start.
You realise that your email account had been hacked. The "invoice" you received has the bank account details of the fraudster, who now has your money.
But how does it work?
Criminals usually commit invoice fraud in four steps – intercepting an email account, hacking the invoice, changing payment details, then disappearing with the money. We explain these steps and how to prevent them below.
Step 1 – Taking a phishing trip
A fraudster will find a way to access the email account you use to send or receive invoices. They could do that by getting you to click on a link in a phishing email, or by intercepting your connection from a non-secure public wifi you use – your login and password are transmitted unencrypted, so it’s easy for the fraudsters to read your details. They could also manage to install software or malware on your device to monitor everything you do.
Remember - take a few seconds before downloading a programme or apps from unknown sources, entering your login details or using a public wifi.
Step 2 – Invoice hack
Now that they can see your emails, the fraudster will look out for any types of invoices you regularly send/ receive, or a big one which may be on its way. While they wait, they will also research what your invoices look like, how you normally write your emails, and any information which would help them impersonate you, so to deceive your clients and suppliers (and others!).
Remember - change your passwords regularly, make sure they’re strong and always use different passwords for different services. An ideal password should be 15-characters long with uppercase and lowercase letters. For example, "mYp4ssW0rdR0x#". Create different passwords for every account and if you can’t remember them all use offline password managers like KeePass to help. You should also enable two-factor authentication for as many online accounts as possible.
Step 3 – The payment
Once the fraudster sees an invoice coming in or out, they will delete that email and re-send either from the original hacked account, or from an account which looks just like the original one. For example: “eric.jones@jonessolicitor.com” rather than “eric.jones@jonessolicitors.com”. Can you spot the difference?
The hacked invoice sent will be almost identical, except for the different email address, telephone and bank account number.
Remember - Before paying new invoices or changing a supplier’s account details, call someone you know to confirm these, using a verified number and not the one in the invoice.
Step 4 – The loss
When a payment is made into a fraudster’s account, it’s usually immediately withdrawn and practically impossible to recover.
Because the payment was approved with all security passcodes, it’s difficult for the bank’s fraud prevention system to pick it up as unusual. As a result, investigations tend to be lengthy and losses are hard to recover.
The resultant distress, as well as a strained relationship between client, supplier and bank, leaves everyone a loser. Except for the fraudster.
Remember - As with everything fraud-related, it always pays to take your time before acting. Fraudsters will do all they can to rush you into a making a decision you could dearly regret.
