For any business, it’s not unusual to receive an email containing a fraudulent invoice impersonating a known supplier. Using advanced tactics such as spear phishing, cybercriminals aim to trick employees into making a fraudulent payment.
Types of payment invoice scams
There are many different payment invoice scams out there. They all share a common trait: the attacker will send a fake invoice to scam money out of an individual or business. Some examples include:
- Domain expiry - An attacker sends a business an invoice stating its domain has expired and that its website will go down immediately unless payment is made.
- Charity donation - In this type of scam, a criminal will send an invoice that looks like it’s from a charity – usually for a fundraiser or an advert in a charity publication.
- Overdue invoice - A phony supplier will send an invoice to a business stating that goods have been purchased and that the invoice is overdue. Sometimes they’ll also send a “sample” of a product and then state that the business agreed to buy.
- CEO email fraud - A criminal acting as someone high-up in the business, usually the CEO, will send an invoice to the accounts department asking for it to be paid immediately.
Posing as a known contact to scam an employee into thinking an invoice needs to be paid as soon as possible is a form of business email compromise (BEC). A common thread here is coercing people into urgent action – criminals use social engineering to trick employees into paying the invoice without thinking.
Examples of real-life invoice and payment fraud
We can learn a lot from high-profile cases that have hit the news. These cases share a similar theme in criminals sending fraudulent invoices that have then been paid by the target companies – often costing millions of dollars.
Google and Facebook
From 2013-2015, a man named Evaldas Rimasauskas combined phishing with invoice fraud to target Google and Facebook. He posed as an employee of Quanta Computer and emailed fake invoices to the tech giants. Over the course of two years, they paid him more than $120m before he was caught and charged with fraud, money laundering, and identity theft.
By posing as someone from a legitimate company, he could trick employees into paying the invoices for things they’d never ordered, sending the money directly to his bank account.
A-1 Janitorial targets businesses across the US and Canada
One type of invoice scam involves sending a “free” product sample and then charging companies for the full cost. This is exactly what happened in a scheme conducted by A-1 Janitorial in 2019. The firm sent businesses across the US and Canada samples of a cleaning product before sending an invoice for the full cost.
After conducting online research, the criminals could reference a specific employee by name when sending the invoice, which increased the likelihood that someone would pay. Those who did pay the fraudulent invoice were then sent more products and further invoices, even though they’d never ordered anything.
As a result of the lawsuit against A-1 Janitorial, the Federal Trade Commission (FTC) refunded more than $2.6 million to affected businesses. It sent out 30,374 checks averaging $86 each.
Shark Tank’s Barbara Corcoran
Using a fake email address, a criminal posed as Barbara Corcoran’s secretary to trick her bookkeeper into paying $388,000 via wire transfer. The fake email address was just one letter off the secretary’s real email, making it difficult to spot.
It was only when the bookkeeper copied in Corcoran’s real secretary to confirm the transaction that the scam was uncovered.
What can we learn?
These schemes prey on employee trust and lack of process to verify payments, especially under certain thresholds. Particularly with large businesses or those used to sending out large sums – like Google and Facebook – there’s the chance that a fraudulent invoice could be paid, along with others hitting the account department’s inbox.
With many scammers using spear phishing to uncover personal information that could back up their payment requests, it’s difficult for employees to recognize what’s fake and what’s legitimate. To avoid this, businesses must have the correct security measures to support employees.
Tools such as Egress Defend use a combination of intelligent technologies, including natural language processing and machine learning, to detect the underlying signs of a phishing attack. Defend analyzes each email to look for urgent and financially motivated language, new or suspicious senders asking for payment, and other indicators that could signal fraud.
If you’d like to learn more about how intelligent email security can protect your business from these scams, you can find more information on our dedicated invoice and payment fraud page.
Cybersecurity experts' views on email risk within Microsoft 365Get your copy