How e-invoicing can lower your risk of fraud


Recently, nearly 35,000 CFO’s were subject to a targeted Phishing scam costing these organizations both time and money. Learn how e-invoicing can reduce your risk of fraud.

How does it really happen?

Misusing the corporate hierarchy

A Phishing scam or Business Email Compromise (BEC) attack happens when an attacker gains access to a corporate email account and poses as a company insider such as a CEO or CFO. Using this assumed identity, they then attempt to defraud the company, its employees, customers, or partners of money.

A typical attack may be an email that is sent by the criminal using the CFO’s identity where he asks someone in the finance department to send an urgent payment to a supplier. The employee feels pressure to comply with the CFO’s request without properly following the typical payment process. The supplier name seems relevant so the payment is made, resulting in a loss to the company.

Intercepting emails

A slightly more complicated approach is for the criminal to observe and intercept ongoing email communication between the business partners. Once the criminal has found an ongoing business transaction, they will attempt to defraud the companies in several different ways.

One way is to intercept an email and change the bank details on the real invoice. Alternatively, if the invoice has already been sent, they may send a phishing email and ask the buyer to pay the invoice to a different account than normal.

In both of the cases, criminals use email spoofing to make the email address seem credible. As a result of this, the invoice is paid to the wrong company and wrong account because the recipient trusts that the invoice comes from a legitimate source.

Abusing invoice approval processes

Invoice handling can be an expensive process therefore many companies have an automatic approval process for invoices below a certain amount. In these cases, the criminals are usually using e-mail addresses or supplier names that are extremely close to one of your current suppliers. For example, they may pose as an IT maintenance or server supplier. This makes it easy for people to automatically approve small invoices.

Lately, I was under attack of email invoicing-related crimes on my own – I happened to be in the address book of the person whose computer was infected with a virus and it was sending out payment reminders. Although this time the target was to steal my identity, still I would put it to the same package with other email invoicing-related crimes

Misperception of email invoicing cost

Email invoicing is considered to be a very cost-effective and simple way of invoicing which is affordable for everyone. Is it really so? Since there is an increasing number of cases where email scamming is used for invoicing-related crimes, corporate IT departments are under pressure to create more secure email channels. It’s their job to provide security for these types of attacks. All these actions can result in some unintended consequences.

Your IT department may be increasing the cost of e-mail invoicing. This is done either directly, by increasing IT security costs, or indirectly as their activities may also cause actual supplier invoices to be quarantined and sent to spam. When invoices aren’t delivered, they aren’t paid and this can prove costly for both sender and receiver. It causes late payment fees, affects cash flow for suppliers, and takes time from customer service to solve the issue. So you should remember that e-mails aren’t a guaranteed delivery method for invoices.

Source: PwC’s Global Economic Crime and Fraud Survey 2018

There is a better way

The best way to ensure legitimate supplier invoices are paid on time is with e-invoicing. Structured invoice data can be exchanged directly between buyer and supplier and the information uploaded directly to the Accounts Payable invoicing system. A trusted service provider together with a trusted chain of traffic is a guarantee for the Network. This mitigates the risk of a BEC attack.

Of course, the benefits don’t stop there.

E-invoicing will not only mitigate the risk of your company losing money to attacks, but you’ll be saving money by automating what is typically a very manual process, as well as reducing the number of errors that can result in increased costs and processing lifecycles.

As the number of attacks increases, companies need to take a multi-pronged approach to ensure security. So with true e-invoicing, where a service provider’s network is used to send and receive your invoices, you significantly decrease the risk of becoming a victim of financial crime and also gain the benefits of process automation.

I do agree with people who tend to say that today’s solutions are more in favor of big corporates and consider less the interest of SMEs. That still shouldn’t target us to select not-trusted solutions which seemed to be free of charge. We should target affordable (financially and process-wise) SME solutions.

One may ask, why email is so a popular tool in executing financial crimes then I believe that the answer is there are no transaction costs for the criminal. It is so cheap to try to commit the crime and therefore you can do it on a wide scale. But it doesn’t mean it is cheap to maintain the service. At the end of the day there is no bad without good – isn’t the money you need to pay to your service provider small compared to the fact that you can sleep peacefully during the nighttime?