Invoice fraud is, unfortunately, fairly common. It’s also not always easy to detect and, as a result, typically occurs over a long period, costing a business thousands, if not millions, of dollars. This guide aims to examine invoice fraud and assist business owners and accountants in preventing it. Read on to learn about common types of invoice fraud, how to avoid these scams, how to report fake invoices, and more.
Understanding the impact of invoice fraud
A former Amazon operations manager was recently sentenced to prison for 16 years. Her crime? Between August 2020 and March 2022, she engaged in an elaborate invoice fraud scheme that netted over $9.4 million. Leveraging her position within the business, she created fake vendor profiles and fake invoices within the Amazon systems. Then, she funneled the corresponding payments for these invoices to her bank account.
According to survey data compiled by the Association of Certified Fraud Examiners (ACFE) and presented in their Occupational Fraud 2022: A Report to the Nations, invoice fraud and related billing schemes were the most common forms of asset misappropriation reported by participants.
In fact, billing fraud reflected 20% of investigated cases. These schemes were particularly damaging because they often went undetected for long periods, in some cases 18 months, and resulted in the highest median loss — $100,000 — for the category.
Types of invoice fraud: Common invoice scams
1. Bill Padding
In these cases, the invoice is a legitimate payment request, but some charges are erroneous. The per-unit pricing isn’t quite right, or the delivered inventory figures are slightly inflated. All documented counts are sometimes accurate, but lousy math ends with an inaccurate total.
Unfortunately, with this type of fraud, it isn’t always easy to determine if the source is an honest mistake or deliberate malfeasance — although frequency might offer some indications. Similarly, if all of the “calculating errors” fall in the favor of your supplier, you should probably begin exploring alternate providers.
2. Duplicate invoices
Another source of fraud due to malice or a legitimate mistake is invoice duplication, a frequent source of billing irregularities. For this strategy, an unscrupulous vendor can either submit the same document twice or list the same materials delivered on more than one of their provided payment requests.
Often, these schemes are most effective against companies that work on complex projects that might generate multiple billing requests across several vendors. If a given supplier only sends you one invoice per month or quarter, your accounting staff will likely be able to determine if it’s already been paid. However, knowing which ones have been covered can prove challenging if that supplier sends more than 20 unique invoices each month.
3. Fake orders
If your business still needs to order something, you are not obligated to pay for it. However, some scams rely on the day-to-day chaos of accounts payable departments to trick you into believing you submitted a non-existent order.
These fraudsters may pose as service providers — such as claiming to be responsible for your web hosting or domain registration — and request annual fee payments. Or they may fabricate non-existent orders from whole cloth, insisting you compensate them for product deliveries that never happened or deliveries that you never ordered.
4. Internal fraud
As already demonstrated, sometimes the phone call — or the fraud — comes from inside the house. Depending on how you handle your accounting processes, internal staff might be able to create dummy accounts for fake vendors within your accounts payable (A/P) systems. And since these “companies” are listed as legitimate, existing vendors, your accounting team will be more likely to send out erroneous payments.
Alternately, these rogue workers can serve as accomplices to any other fraud vectors in this list, allowing themselves to be willfully fooled. Or if they are authorized to make purchases, they might be buying personal items (e.g., clothing, meals, hotels) that they then charge to your business via an unauthorized invoice.
5. Misdirection
Given the law of averages, at some point, your IT systems will be compromised by outside parties. And when the scope of this intrusion isn’t accurately determined, these criminals may be able to hijack legitimate payments. Often, these efforts will focus on compromising email accounts — particularly those of your A/P staff or executives — allowing criminals to actively monitor, intercept, and change details in payment-related discussions.
By altering just a few digits in an account number, they can ensure they’re first in line when you pay your bills.
6. Social engineering and phishing
Humans can be easily manipulated, so often, the attack vector chosen by fraudsters is your honest, hard-working staff. Through phishing schemes, criminals will contact your accounting or financial teams — predominately through email but possibly via phone, social media, or text — claiming to be either a coworker or representative from one of your suppliers. They’ll then leverage the naiveté of your staff to acquire privileged information related to accounts, transactions, policies, or other critical details. And with this data, fraudsters can more easily submit bogus payment requests.
Alternately, these criminals might use the point of contact to convince your employees to alter account or payment details directly, shifting legitimate payments away from your vendors and into their accounts.
How to identify and avoid invoice scams
If you further explore each of the strategies listed above, you begin to notice common vulnerabilities that scammers like to exploit. Poor data visibility, inconsistent processes, limited communication, overworked accounting staff — any of these departmental challenges can make you an easy mark. And whatever anti-fraud plan you pursue will easily prove insufficient if the underlying issues aren’t addressed.
You’ll look for abnormalities or inconsistencies with known facts or historical trends. If something looks wrong, it probably is. Keep an eye out for unprofessional communication as well. Scammers often include spelling and grammar mistakes to identify and focus on those targets, paying the slightest attention.
1. Automated accounting
One of the simplest measures to protect your finances is automating your accounts receivable (A/R) efforts. Streamlined, consistent processes will limit who has direct access to customer and financial records, helping mitigate your risk against internal fraud.
Many platforms — including the Accounts Receivable Automation solution we offer here at Invoiced (a Flywire company) — deliver automated verification checks within established workflows that can help identify process and data irregularities, whether they’re caused by honest mistakes or criminal misconduct.
For example, our Remittance Advice AI feature automatically detects and processes remittance advice for incoming transactions and intelligently handles short payments, overpayments, and more. At the same time, our CashMatch AI will direct these funds to the appropriate customer account without the need for human oversight, making it that much more difficult to hijack payments. And for customers to gain access to the Invoiced Network — and engage in financial transactions — they’ll first need to verify their business with a tax ID.
2. Constant contact
If your accounts payable staff are regularly interfacing with contacts at your established suppliers and vendors, it will be much harder for a fraudster to deliver a convincing impersonation.
After all, if you’ve heard a vendor’s voice on the phone dozens of times, you’ll know when someone else is using their name. Also, with routine, ongoing communication, you’ll likely be made aware of payment irregularities more quickly. So, when fraud happens, it will cause far less financial damage.
3. Data security training
As previously stated, a common (and often successful attack) vector involves targeting your workers. Consider providing data security training to everyone in the company, particularly to executive staff and anyone tied to finances.
If your employees know the common signs of phishing or other social engineering attacks (e.g., a sense of urgency, spoofed URLs, etc.), they’ll be less likely to fall for these schemes.
4. Document matching
To help ensure that the invoices and payment requests you receive represent legitimate charges, compare these documents with your existing files. Do the address and bank account details match historical records? Does the order’s size, price, and timing align with previous purchases from this vendor? A larger-than-average invoice may reflect a surge in your company’s production, but you should always double-check.
Similarly, you should employ 2-way or 3-way matching for your invoices. This strategy involves comparing the details of the submitted payment requests against the purchase orders or receiving records you already have on file.
5. Don’t talk too much
Scammers, particularly those relying on social engineering strategies, will use whatever information they can find about your business to create an artificial sense of familiarity. Make it challenging for them.
Be mindful about what information you release to the public about the suppliers or vendors connected to your business. Can these details be easily found on your company website or promotional materials? The harder it is to know who you might owe money to, the harder it will be for fraudsters to convince you that it’s them.
6. Multi-channel authentication
To increase the difficulty for hackers or fraudsters to change the billing or address information you have on file for your suppliers and vendors, bolster the requirements to update these records. If a change request comes in via email or text, have your accounting staff confirm the change over the phone via an established contact.
Verify the alteration via an existing email address or trusted social media connection when an update is phoned in.
7. Trust no one
Yes, this may feel extreme, but it will save you a headache in the long run. When bringing on new vendors or accepting large orders from new customers, knowing who you are dealing with benefits your business and your bottom line. For each of these new business relationships, research their history — do they have a reputation for legal problems? What does their credit rating look like? Were they just founded?
If you’re in the United States or Canada, consult with the Better Business Bureau to see their rating and what complaints have been lodged against them.
How to report fake invoices
If Fortune 500 companies can fall victim to invoice fraud, it’s a safe bet that your business can also be hit despite all of your best efforts. So what then? What is the intelligent response to being scammed?
Typically, you want to take three direct steps:
- Contact your bank, credit company, or relevant financial institution
- Notify the appropriate government authorities
- Run internal audits to clarify what went wrong
Step one is pretty straightforward. Depending on how quickly the fraud was detected and the nature of the payment type, your bank may be able to cancel the transaction before it’s finalized.
Notifying the relevant authorities, however, can be complicated. The appropriate reporting body will vary by region and the nature of the crime, but a smart place to start is contacting either your local police department or the state attorney general’s office for advice. Excluding rural areas, these agencies frequently have dedicated anti-fraud task forces.
If you operate in the United States, consider reaching out to the U.S. Postal Inspection Service or the Federal Trade Commission (FTC). Or, if you’re in Canada, contact the Canadian Anti-Fraud Centre.
Finally, you’ll want to determine which vulnerability within your business was exploited and how to prevent it from happening again. Fortunately, since you’ve detected the fraud, you’ll likely already know the Where if not the How.
Help avoid invoice fraud with Invoiced
Keeping your accounts and accounting operations safe from fraud is a never-ending challenge. The unfortunate reality is that at some point, someone will eventually try to fool your business. But the truly frightening truth is that they may already have done so, and you didn’t realize it.
Rather than letting these criminal enterprises fester within your company, we recommend taking proactive measures like the ones already discussed. And, an accounting automation solution (coupled with sound cybersecurity efforts) can provide you with the most comprehensive avenue for protection.
Consider our Accounts Receivable Automation software, which offers embedded validation checks throughout your invoicing process, helping to reduce the likelihood of erroneously sending out duplicate invoices or processing duplicate payments. And comprehensive integration features make it easier for your enterprise resource planning (ERP) systems to communicate with your vendors directly, further removing the human element — and additional opportunities for fraud.
At the same time, our E-invoice Network can simplify and streamline your invoice management efforts, freeing your staff to focus on and further investigate problems and irregularities.
Schedule a demo today to learn how Invoiced can help protect your business from fraud and see what else our software can do.
