Invoice scams, where employees receive requests for payment from legitimate sources or routine services, are on the rise. Learn what to watch out for.
Picture yourself in a position where you’re in charge of approving and paying capital expenses for a big-name company worth tens of billions of dollars.
One afternoon, you get an email from your assistant to green-light an invoice totaling $400,000 for renovations to a luxury investment property. In your office, that’s a normal cost and a usual expenditure. As a matter of routine, you might move forward to pay the bill, very nearly overlooking the minor detail that your assistant’s email address is missing one letter from their name.
That’s precisely what happened to a bookkeeper for Barbara Corcoran, founder of real-estate giant Corcoran Group and host of the popular TV show Shark Tank.
In the case of this invoice scam, the property in question didn’t exist and the renovation company was fake, but the money transferred would have been very real. It was only because the bookkeeper emailed the assistant back at their proper email address that the fraud was discovered and avoided.
This is a micro example, a case where the bad actor targeted a very specific person for a very large amount of money. But, new information in the Avast Q1/2023 Threat Report indicates invoice scams are growing more prevalent, and they’re not exclusively targeted at celebrity executives.
Invoice scams are on the rise
Invoice scams, also called a Business Email Compromise (BEC), or an Email Account Compromise (EAC), are a type of online fraud where hackers attempt to deceive businesses or individuals into paying fake bills.
These scams can take many different forms, but they most often involve bad actors sending invoices that appear to be from legitimate sources such as trusted vendors or well-known brands.
Raising the stakes, the requests often employ tactics that heighten the recipients’ sense of urgency. This could come as a threat that essential services will be shut down, or the target individual or company will be reported to credit agencies for defaulting on an overdue payment. These tactics are intentionally employed to encourage the recipient to overlook safety precautions and quickly pay before they get into trouble.
Most everyone has received emails masquerading as alerts sent from services like PayPal (they’re not from PayPal). We’re all already aware of such tactics and spot them easily when the return email address looks suspicious, or the content of the email seems off.
In more modern tactics, some fraudulent invoices arrive through legitimate sources. The invoice appears more legitimate because it’s being sent from an authentic financial transfer service. The website and email may be real, but the goods/services invoice from the scammer, who has obtained your name and email address, are entirely illegitimate.
Findings from the Avast Q1/2023 Threat Report
At the macro level, invoice scams are trending up, and anyone can fall prey to the threat actors using them. This is according to the Avast’s data-centric view of the latest tactics, threats, and exploits that cybercriminals use to infect systems, steal information, and defraud companies of their funds. The insights consider data at a global level, and invoice scams are everywhere.
The most recent report reveals that the incident rate of invoice and refund scams has risen by as much as 50% in only the last three months. The numbers range by region, with Japan reporting the highest increase at 50%, a 26% increase in the United Kingdom, 21% in Canada, and 19% in the United States.
Global risk ratio for refund and invoice scams in Q4/2022-Q1/2023.
At a global level, company leaders must inform themselves and their employees about the latest trends in criminal activity to elevate their preparedness against the most current threats to systems, data, and finances.
Fighting invoice scams starts with awareness
Awareness of invoice scams is crucial to protect individuals and businesses from falling victim to fraud in today’s digital landscape. By understanding the tactics employed by bad actors, individuals and employees can develop a healthy sense of skepticism and caution when dealing with any request for payment that seems even slightly out of the ordinary.
What are the signs of a fake invoice? First: you don’t recognize the bill. It’s easy for an individual to know they didn’t order new power tools from a big-name retailer. It’s harder when an office employee receives an invoice for legal services. In that case, it’s easily stopped by checking with others in the office. Nobody ever got in trouble for confirming a bill before they sent payment.
Elevate your skepticism when you see extreme calls for urgency. A family member you haven’t spoken to for months is not going to jail unless you send cash to a judge via courier today. Your credit rating cannot be destroyed overnight if you don’t send a payment in cryptocurrency. Your boss is not going to fire you if you call them before responding to an email to buy $2,000 worth of gift certificates.
Double-checking the email is another effective way to avoid invoice scams (and questionable emails in general). Even if the invoice comes from a legitimate source like PayPal or Quickbooks, you can dig deeper into the paperwork and see if the requestor’s name is misspelled or comes from a red-flag domain like email@example.com.
By fostering awareness, you can enhance resilience against invoice scams and minimize the risk of financial loss. Moreover, spreading awareness about invoice scams through educational campaigns, workshops, and information sharing about industry peers can contribute to a wider effort in combatting cyber fraud and promoting a safer online environment for everyone.