Fake Online Invoices: The Ineradicable Pests of Small Businesses

How serious is the threat?

The short answer to this is that the situation is worse than ever: in fact, the IBM Threat Intelligent Index of 2017 showed that in 2016 more than half of all spam emails contained malware. But there is more: according to Symantec’s reports at least a quarter of phishing emails used the disguise of a fake invoice, while the number of ‘whaling’ or business email compromise (BEC) scams – where the scammer is disguised as a company executive – is also at an all-time high.

Additionally, there is the case of W-2 phishing emails: according to a recent IRS report, the number of these attacks, where hackers impersonate high-level company executives to obtain employee W-2 forms from the payroll department in order to commit tax and refund fraud, increased by a whopping 870% just in the 2017 tax season – with a quarter of businesses sadly falling for the trick.

Examples of fake invoices

In order to effectively fight the ever-growing swarm of fake invoices, it’s important to be able to recognize this form of attack. This is important, because a contract disguised as an invoice requires completely different countermeasures than a fake online invoice with a dangerous link or attachment.

Invoice-like contracts: wolves in sheep’s clothing

These scams appear as legitimate invoices, but the moment they are paid, victims enter into a contract with the scammer by purchasing products or services they would have never ordered under normal circumstances.

Thankfully these kind of fake invoices are pretty easy to detect, since they never contain one crucial detail a normal business would never miss from a legitimate invoice: a telephone number. But be careful: only those contracts that lack a notice about the true intention of the ‘invoice’ can be deemed null and void.

Phishing invoices

Phishing attacks are more dangerous since it targets sensitive personal data. Usually these scams look like official emails with a PDF attachment coming from a company whose services your business uses. However, by clicking on those links and attachments the user downloads malicious files that will snatch valuable personal or confidential business information.

However, like in the case of invoice-like contracts, phishing emails can be easily spotted by simply checking the sender’s email address and not opening any links and attachments before a thorough inspection and confirmation of the sender.

How to battle fake invoices

A good way to never fall for fake invoices is to search the internet for examples. Take Xero for example, which has a dedicated site with a constantly updated collection of phishing attempts. Aside from learning from mistakes, checking invoices originating from unusual sources, refraining from paying until the transactions are duly approved, and double-checking the senders address of suspicious emails are good ways of preventing scammers. As long as your orders are confirmed by vendors in person there can be no problems.

But the true nail in the coffin for fake invoices is that online accounting programs can record all transactions in a thorough manner, meaning that you can match invoices with the right transaction to immediately exposing scam attempts.

With fake invoices plaguing all of us, chances are that your clients are also aware of the many fake online invoices reaching their email inbox, too. The rise of fake electronic invoices and the increased alertness of the spam filters to tackle the problem could result in your outgoing bills ending up in the customer’s junk mail, and eventually becoming overdue.

Creating and sending your outgoing invoices to customers using a trusted online accounting or invoicing solution ensures your invoice ends up in their inbox rather than their spam folder, and makes them more confident that they’re being sent a legitimate invoice. Adding an accompanying personal note to the invoice email helps further build that trust. Inform your customer that they’ll be receiving an invoice sent through your accounting or invoicing cloud service, and perhaps even share the email address it will be sent from so they can also whitelist that email address.