If you run a business, be on the alert for invoice hacking – also known as invoice redirection fraud. It’s a crime that sees crooks impersonate a trusted supplier, and it can take your blemish-free business to the cleaners.
Invoice hackers send emails coupled with an invoice for payment. It all looks legitimate, but the sender says they’ve changed their bank account details, and would you mind paying the invoice to the new account?
The trouble is, that new account belongs to crooks not your regular supplier.
You may not realise you’ve fallen victim to a scam until weeks later when the genuine supplier gets in touch asking you to pay up. By that time your money – and the scammer – are both long gone. It can leave you paying an invoice twice, or worse, copping legal action from a supplier.
Slicker than your average
The challenge with invoice hacking is that everything can appear above board – no dodgy spelling, no obviously bogus email addresses, and no impersonal “My dearest friend” type greetings that we associate with email scams.
That’s because the whole thing kicks off when cyber crims hack into either your system or your supplier’s network. So, they may use a supplier’s legitimate email address or a subtle variation of it, and the invoice will likely be on letterhead that’s the real deal.
It doesn’t help that scammers know workplaces are busy. And this can be the weak spot that lets the crooks get away with the loot.
Contact suppliers about changes to bank details
It always makes sense to have strong security around your network, email, accounting and other systems. Another good idea is to store suppliers’ bank account details in your accounting software or online banking instead of entering account details manually whenever you pay invoices.
But often it is human interaction that can minimise the risk of invoice hacking. If you receive an email saying a supplier’s bank account details have changed, contact them over the phone to confirm. Use a phone number from a different source, not the one shown in the email or invoice.
On the flipside, ask your customers to get in touch if they receive a change of account request that seems to come from you. This may mean explaining the risk of invoice hacking – send a link to this page. If you do change your business bank account, be on the front foot and call your customers to let them know what’s happening. That way they can be sure any changes to payment details are coming from you, and not a hacker.
What if I’ve been scammed?
If you’re concerned you may be a victim of invoice hacking or you have received any communication that meets the above criteria, contact your bank straight away.
This article is prepared based on general information. It does not take into account individual financial objectives or needs and is not financial product advice.