Cybercrime on the rise with invoice hacking
4 August 2022
Like other forms of cybercrime there has been an increase in what is known as Invoice Hacking or Invoice Redirection. This is where cybercriminals are impersonating businesses and suppliers, accessing emails and intercepting invoices. They send emails, coupled with an invoice for payment, including changes to their bank account details, and ask you to pay to the new account. The trouble is this new account belongs to nefarious individuals and not your regular supplier.
The challenge with invoice hacking is that everything can appear totally legitimate in that there is no dodgy spelling, no obviously bogus email addresses, and no impersonal “My dearest friend” type greetings that we associate with email scams.
You may not even realise you’ve fallen victim to a scam until weeks later when the genuine supplier gets in touch asking you to pay your invoice. Unfortunately, by that time, your money and the scammer are both long gone leaving you out of pocket and potentially paying twice.
If you own or run a business, stay alert for invoice hacking and understand that scammers don’t just go after big companies, they go after businesses of all shapes and sizes and can impact any industry. They will tend to target new or junior level employees or volunteers as they’re most likely unfamiliar with payment processes. A compromise like this can have a severe impact on your business.
Reported stats on false billing for 2022 YTD (source : www.scamwatch.gov.au )
What if you believe you been scammed?
If you’re concerned, you may be a victim of invoice hacking:
Contact your financial institution – They may be able to stop a transaction or put a hold on your account if your banking details have been compromised.
Contact the supplier to highlight to them that their business may have been compromised.
Report the scam to the relevant authorities (see helpful links below).
Tips to avoid invoice redirection scams
The harsh reality is that if you have lost money to a scam, it is unlikely that you will get it back. We’ve put together a few tips to help prevent scams from happening:
Always verify any changes to bank accounts, email addresses or payment details over the phone (using a number you already know or from their public website but NOT from the invoice) or even in person. Human interaction can often minimise the risk of invoice hacking.
Never rush a payment. Fraudsters love to create a sense of urgency to get you to pay immediately.
Closely review the email addresses of any change requests to ensure they are not spoof emails.
If you are a business, ask your customers to get in touch if they receive a change of account request that seems to come from you. If you do change your business bank account, call your customers to let them know.
Educate yourself and staff (if running a business) on your processes and to look out for any suspicious emails or phone calls.
For expert financial advice, contact us today.
Scamwatch is run by the Australian Competition and Consumer Commission (ACCC). It provides information to consumers and small businesses about how to recognise, avoid and report scams.
The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security.
Provides a method to report Cybercrime
Provides advice and information about how to protect yourself and your business online.