Fears of a cyberattack are becoming an increasingly prominent reason given by businesses – especially SMEs – as to why they have not yet implemented cloud-based, automated and electronic systems like e-invoicing and digital procurement.
Those fears may not be overblown. Recent research from Symantec in its Internet Security Threat Report found SMEs to be a growing target for cyber thieves, with 60 percent of cyberattacks in 2014 hitting small businesses.
Unfortunately, an emerging trend is unlikely to quell any of these cyber fears. A new twist on an old scam is making it more difficult than ever to detect and prevent fraud, and it’s hitting the B2B sector specifically.
There are a variety of ways to complete an invoice scam, also called a “business email compromise,” “corporate account takeover,” or “business email fraud” scheme. One process involves a criminal sending an official-looking email to a business pretending to be one of its suppliers. According to experts, the scammers will either send a fake invoice, or will notify a business that the “supplier” has changed its bank, instructing them to settle their invoices with payments into a different bank account. Sometimes, a legitimate invoice is sent to a corporate buyer, but hackers have altered payment directions on the e-document.
In some instances, the thieves can use malware to hack a company’s email system, then alter a legitimate email to include different wire transfer or ACH instructions, diverting a payment from landing in a supplier’s bank to landing in the hackers’ accounts.
The invoice scam is not a new phenomenon. The crime works, at its most basic level, by sending a fake invoice to a company that appears to come from one of its suppliers. The invoice includes payment instructions, and boom, the company unknowingly pays its scammers.
But as corporate treasury becomes more sophisticated, so do the scams. The U.S. Postal Service has had fake paper invoice schemes on its radar for some time, but in a PSA issued last January, the Federal Bureau of Investigation warned companies of the emerging criminal act. Today, authorities say there are several ways these crimes can be carried out as digitization has given cyber thieves more resources than ever before to target a company.
At the time of the FBI’s PSA, for example, authorities had found that these schemes were responsible for about $215 million worth of losses between October 2013 and December 2014. Last month, the FBI found that between October 2015 and June 2015, that number is now about $1 billion.
According to The Wall Street Journal, the FBI arrived at this $1 billion figure after aggregating complaints from businesses in 64 nations, reports said, most of which came from the U.S. Experts told the publication that the rise in frequency and sophistication of these schemes can be attributed to the electronification of corporate treasury functions.
Assistant Special Agent Steven Bullitt, who heads the Dallas Field Office for the Secret Service, told The WSJ that these schemes are growing because “everything is online these days.” Not only are businesses migrating their supplier payments and accounting operations online, he said, but thieves can dive into a company’s social media or website activity to gather intelligence.
Small businesses continue to be a top target for these scams, too, according to cybersecurity company Trustwave Holdings global director of incident response Brian Hussey. “Small businesses are probably one of the biggest targets,” he told The WSJ, “because they don’t have the same budgets for security and investigations.”
Another cybersecurity firm, CrowdStrike, explained one of these schemes they had recently investigated. CrowdStrike Chief Executive George Kurtz told The WSJ that an investigation into a recent theft of $100,000 from scrap metals processor Mega Metals (an Arizona-based, 30-person business) revealed that the thieves apparently uploaded malicious software onto the firm’s broker’s computer, which gave them access to the broker’s email.
The hackers then sent fake emails from the broker’s account to provide fake instructions to Mega Metals to wire payments to suppliers to a different account, making those instructions seem more legitimate because they referenced actual purchase orders. The fraud wasn’t detected, reports said, until the real supplier issued a notice that they had not yet been paid.
In a separate case, Infront Consulting Group was hit with a scam almost costing them nearly $170,000. Hackers reportedly sent an email that seemed to come from Infront’s chief executive, and instructed the company’s CFO to wire funds to a fake company.
Experts say the “don’t call me, I’ll call you” rule can be a good way to avoid unsolicited demands or payment instructions, and businesses are advised to verify with their supplier any change in payment or invoice terms. But with B2B companies facing new pressure to digitize their supplier payments processes, the threat of the e-invoice scam will continue to loom over the industry.