Invoice fraud is becoming more common in South Africa, perhaps in response to worsening economic conditions.
Detecting and successfully prosecuting this type of crime is difficult, but the losses can be very high. This is one case where prevention really is better than cure, says John Mc Loughlin, MD of J2 Software, a leading supplier of information security, governance, risk and compliance solutions.
“PwC research shows that South Africa is the country with the highest percentage of economic crime in the world. Invoice fraud is a growing subset of economic crime because it is relatively easy to do, and can pass under the radar unless you have the right measures in place,” Mc Loughlin says. “Luckily, effective measures are relatively easy to roll out.”
Fundamentally, invoice fraud involves altering an invoice to get a customer to pay for goods or services into the fraudster’s account.
Based on recent attacks seen by the J2 Software team, Mc Loughlin says that fraudsters use inside information from a supplier company to set up the scam. This inside information is typically obtained from an employee, from lost USB storage devices or from information that has been unsafely disposed of. Using a fake e-mail account set up to mimic the customer’s e-mail address and format, the fraudster then requests outstanding invoices and statements from the supplier. These invoices are then copied, and sent to the real customer with faked details of changed banking details. The customer then pays the invoices in good faith–but into the fraudster’s bank account.
There are many variations of this basic pattern.
Mc Loughlin says that the keys to preventing this type of fraud are staff awareness and a simple authorisation and verification procedure based on the following five steps:
* Implement security training. Fraudsters rely on inside information, so security awareness training is essential for all staff working in finance, especially those involved with changing and approving bank details for customers or suppliers. This training must focus on showing them what to look out for.
* Maintain a programme of continuous awareness for staff. Staff members need to be continually reminded of the need to follow good security procedures, and updated about new risks as they come to light. Building a security culture is a continuous process–your staff’s vigilance is your best line of defence.
* Put in place a clear procedure for changing banking details. Basic security and verification steps must be included. These would include: careful checking of invoices and supporting documents such as bank letters; routine verification of e-mail addresses; cross-checking of changes.
How to respond to any suspicious activity:
* Communicate with your suppliers. It is vital that your suppliers understand exactly what your procedure for changing sensitive information, like banking details, is. Both parties should designate a point of contact.
* Manage your environment. Ensure you manage your ICT environment and have a solid layered security approach covering all areas of risk. A cyber-security assessment is an extremely useful first step to identify risk areas. In addition, predictive monitoring and behavioural analytics can be used to reduce risk and improve compliance. Monitoring is also essential in helping you to identify how and where the process failure happened, so that weak areas can be strengthened.
“Simple to understand policies, ongoing monitoring and focused awareness are all crucial to the ability to reduce risk and cut losses. A poster in a lift is not awareness,” Mc Loughlin concludes. “Do not wait until it’s too late.”