Business Email Compromise

Invoice redirection fraud is when a scammer poses as a legitimate supplier and then requests payment to a bank account they control. And we are seeing more and more instances of it.

In order to make the invoice look legitimate, the scammer may have hacked your, your clients or your supplier’s computer systems. The invoice may even come from a supplier’s email address (if that’s been hacked) or, more likely, from some subtle variation of it.

Often, you won’t know there’s a problem until the supplier starts chasing for the payment they haven’t received.

Preventing scams and frauds involving changing supplier or creditor banking details in businesses requires a multi-faceted approach that combines vigilance, communication, and robust verification processes.

We have a strict verification process before making any changes to banking information in Xero:

• If a supplier requests a change to bank account details, we will contact the supplier to verify the change.
• Any changes to bank account details in Xero are tracked
• A notification of bank account changes will always be sent to you, the business owner, when a change in bank account details is made (for suppliers and employees)
• We regularly update our systems and employ multi-factor authentication for Xero and other systems

Become aware of the scams - We suggest that you become aware of the risks and tactics used in these scams, and encourage you raise awareness amongst staff about the importance of verifying changes in banking information and encourage them to be sceptical of sudden or urgent requests as scammers.

Check the email address that sent the invoice - The display name on an email address can be customised to anything you want, but you cannot change the actual email address. For instance, anyone can customise their email address to display the name 'MyGov', or something similar.

Before forwarding an invoice your invoices email address, we encourage you to get into the habit of checking the actual email address that sent the email rather than the display name to ensure that it is legitimate.  See the example below or a spam email address that I recently received:

Never hurry a payment – scammers thrive on creating a sense of urgency to persuade your clients to pay up immediately. By following the normal accounts payable process (avoiding making one-off, urgent, payments), you are slowing down the process and allowing time for checks to take place

Purchase cyber insurance. Cyber insurance is crucial because it provides financial protection against the escalating threat of scams and fraud targeting supplier/creditor banking details. It covers costs associated with data breaches, legal fees, and potential liabilities arising from such incidents. Cyber insurance offers a safety net, helping companies mitigate financial losses and recover more swiftly in the event of a breach or fraudulent activity. 

Use eInvoicing. eInvoicing is a more secure way to send and receive invoices than email. It relies on message encryption, network security and governance controls. By using eInvoicing to exchange invoice data directly through your software, you’ll minimise the risk of invoice fraud or scams.

Check out this previous post for details on how to get started with eInvoicing.

By combining these measures, businesses can significantly reduce the risk of falling victim to scams and fraud involving changing supplier or creditor banking details.