Invoice fraud is becoming more common in South Africa, perhaps in response to worsening economic conditions. Detecting and successfully prosecuting this type of crime is difficult, but the losses can be very high. This is one case where prevention really is better than cure, says John Mc Loughlin, MD of J2 Software, a leading supplier of information security, governance, risk and compliance solutions.
“PwC research[1] shows that South Africa is the country with the highest percentage of economic crime in the world. Invoice fraud is a growing subset of economic crime because it is relatively easy to do, and can pass under the radar unless you have the right measures in place,” Mr Mc Loughlin says. “Luckily, effective measures are relatively easy to roll out.”
Fundamentally, invoice fraud involves altering an invoice to get a customer to pay for goods or services into the fraudster’s account.
Based on recent attacks seen by the J2 Software team, Mc Loughlin says that fraudsters use inside information from a supplier company to set up the scam. This inside information is typically obtained from an employee, from lost USB storage devices or from information that has been unsafely disposed of. Using a fake e-mail account set up to mimic the customer’s e-mail address and format, the fraudster then requests outstanding invoices and statements from the supplier. These invoices are then copied, and sent to the real customer with faked details of changed banking details. The customer then pays the invoices in good faith—but into the fraudster’s bank account.
There are many variations of this basic pattern.
Mr Mc Loughlin says that the keys to preventing this type of fraud are staff awareness and a simple authorisation and verification procedure based on the following five steps:
Implement security training. Fraudsters rely on inside information, so security awareness training is essential for all staff working in finance, especially those involved with changing and approving bank details for customers or suppliers. This training must focus on showing them what to look out for.
Maintain a programme of continuous awareness for staff. Staff members need to be continually reminded of the need to follow good security procedures, and updated about new risks as they come to light. Building a security culture is a continuous process—your staff’s vigilance is your best line of defence.
Put in place a clear procedure for changing banking details. Basic security and verification steps must be included. These would include:
- Careful checking of invoices and supporting documents such as bank letters. For example, on a scanned letter with a bank stamp, the text should not be visible through the stamp; nor do banks send out documents laced with errors or poor quality logos.
- Routine verification of e-mail addresses.
- Cross-checking of changes. Any requested changes should be verified by a minimum of two channels; for example, e-mail and telephone. Be sure to use existing contact details, not those supplied on the new documents.
- How to respond to any suspicious activity.
Communicate with your suppliers. It is vital that your suppliers understand exactly what your procedure for changing sensitive information, like banking details, is. Both parties should designate a point of contact.
Manage your environment. Ensure you manage your ICT environment and have a solid layered security approach covering all areas of risk. A cyber-security assessment is an extremely useful first step to identify risk areas. In addition, predictive monitoring and behavioural analytics can be used to reduce risk and improve compliance. Monitoring is also essential in helping you to identify how and where the process failure happened, so that weak areas can be strengthened.
“Simple to understand policies, ongoing monitoring and focused awareness are all crucial to the ability to reduce risk and cut losses. A poster in a lift is not awareness,” Mr Mc Loughlin concludes. “Do not wait until it’s too late.”
About J2 Software:
J2 Software is a dynamic African ICT company founded in 2006 to address the need for effective information security, governance, risk and compliance solutions in the ICT markets’ across the continent. We offer globally leading solutions including: Dtex SystemSkan; Mimecast; J2 Online Backup and Simply Secure.
1. PwC, Global Economic Crime Survey 2016 (5th South African edition, March 2016), available at https://www.pwc.co.za/en/assets/pdf/south-african-crime-survey-2016.pdf.