The State of Invoice and Payment Fraud Heading into 2021

The unprecedented events of 2020 have had a significant impact on the way cyber criminals have developed and administered attacks. Not only are we seeing the emergence of Ransomware 2.0, we're also seeing a continued explosion in invoice and payment-based business email compromise (BEC) fraud.

A BEC attack, also known as man-in-the-email, involves cyber criminals masquerading as, or directly compromising a business email account in order to extort trusting individuals into taking a certain action. In the case of invoice and payment fraud, the BEC attack will usually target a business's finance department and pose as a vendor or senior management and will ask for a payment to be made to a fraudulent bank account.

In the first half of 2020 we saw a spike in COVID-19 related BEC attacks, however, according to Abnormal Security, invoice and payment-based BEC fraud rose by 81% between Q2 and Q3. The exponential increase in invoice and payment fraud is only projected to continue in Q4 and into early 2021.

The difficulty we face with BEC attacks is that they are often tailored to their victims. Attackers will spend time researching their target, looking for the emails and individuals they think will be most likely to result in a pay out. They will carefully choose who they will pretend to be and will know enough about the victim organisation to put together a convincing email. This can make it incredibly hard to detect when emails are disingenuous.

In 2019, surveys by UK Finance revealed that invoice and payment fraud costs organisations £92.7 million each year and that 43% of businesses are not aware of the dangers of invoice fraud. The cost of invoice and payment fraud is only going to increase as we move into 2021 and with the lack of awareness in the general business population, invoice and payment fraud will likely remain highly successful.

How Can We Combat Invoice and Payment Fraud?

The first step to safeguarding any organisation is to raise awareness. Many members of staff may not even know what invoice and payment fraud is or the techniques used by the attackers. Training staff could be as simple as working them through a scenario where an attack may occur.

For payment fraud, where you receive an email from an individual (for example senior management) asking for you to make a payment to an unknown place, call the individual and confirm it. Attackers will usually dissuade you from making contact with the individual they are posing as, and this is a red flag that the email may not be geuinue.

When it comes to remaining vigilant, don't be afraid to look for or ask for clarification. If you receive an invoice from a supplier then check the account details against a reciept of goods or purchase order. If you're unsure about an invoice, or it doesn't match the purchase order/receipt then get in contact with them. Call them just to clarify, your supplier will likely admire that you're taking steps to ensure both your own and your supplier's security.