Protecting businesses and individuals from invoice fraud
Invoice fraud has been in the news this week after Goliath and Goliath, was hit by hackers who intercepted the company's invoices to its clients; diverting over R300 000 from the comedy and entertainment agency and its subsidiary, The PR Bailiff.
Fraud like this is known as "authorised push payment fraud", and it happens when fraudsters deceive a business or customer into sending them a payment under false pretenses, to a bank account controlled by the fraudster. If the payment is made using the South African SAMOS clearing system it is irrevocable, victims cannot reverse a payment once it has been settled, even if they realise they have been conned.
With real-time payments available to business and individuals in South Africa this kind of fraud is attractive to criminals because they can quickly take the money and run. It is on the rise – but what is it? And who are the victims?
The approach taken by the fraudsters is not new. They use social engineering techniques and may hack into email and other systems in order to set up their victims. These methods are used to perpetrate a wide range of attacks — the defining factor in authorised push payment fraud is the use of push payment methods, sometimes real-time payment schemes, to transfer the money to the fraudsters. Fraudsters have developed a wide range of sophisticated hacking techniques so that their approaches are much more convincing than in past years. They target the business using vishing, smishing and phishing to extract information and build relationships they can use. in some cases they use 'spear phishing' techniques to target decision makers at a business and trick them in to actions that enable the fraud., As more consumers and businesses adopt simple ways to send money directly from their accounts, and often in real-time, the potential pool of victims has grown...
These criminals are devious and clever, and victims cannot simply be written off as gullible. As electronic payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.
Authorised push payment fraud schemes include:
Attacks on Individuals
- Paying an invoice that looks exactly like one from your service provider – but it turns out to be from a fraudster and sends the money to the fraudster's bank account.
- Sending payment for work done by a tradesperson such as a carpenter or a builder who's been working on your house, only to find that you have acted based on an email that came from a fraudster pretending to be your legitimate contractor.
- Account takeover, where fraudsters initiate push payments to new payees – often across different channels with the goal of outsmarting existing fraud controls.
Targeting property transactions
This kind of fraud can affect any property purchase, whether by an individual or a business. In fact, the conveyancing solicitors may also end up as victims of payment fraud. Property purchase fraud occurs when criminals intercept the email chain between sellers, buyers, estate agents and solicitors. Once the communications are intercepted, the fraudsters change the payment information related to transfer of funds so that payments are diverted to the fraudsters' account. With property transactions, the sums involved are likely to be large and falling victim can be life-changing.
Intercepting supplier payments
Also known as fake invoice fraud, this type of phishing fraud uses a combination of interception and social engineering techniques to obtain information, fraudsters are able to convince individuals or businesses to change bank account details, getting their victims to replace the account number of the legitimate suppliers with their own.
The unfortunate scam experienced by Goliath and Goliath used this type of invoice fraud. The company's emails were hacked and intercepted. The fraudsters were able to insert their own messages into the system and make them look as if they came from a legitimate supplier who had changed their bank account details. The new bank account details were, of course, those of the fraudster who was then able to persuade Goliath and Goliath's customers to make payments intended for their supplier to them.
Fraud schemes like these can be highly unsettling – especially because they involve the stealing of personal information over what is usually a trusted platform, whose weakness might have been exposed to an unsavoury audience.
Speaking on the matter, Goliath and Goliath CEO, Kate Goliath said that small businesses need to educate themselves about cybercrime well enough to understand what services they need from their business IT solutions provider to better fortify their systems against hackers.
This is valuable advice, given that most companies are now performing a lot of their key functions in the digital space. It is going to be especially important for the South African business sector to place push payment fraud high on its agenda – something that countries like the UK, the USA and Australia have already begun doing in line with their mass adoption of real-time payment schemes.
By Sarah Rutherford, FICO's fraud, cybercrime and compliance business marketing solutions manager