A couple of weeks ago with looked at the timeless 419 (Nigeria Prince or advance fee) scam and how scammers never seem to get tired of it. It seems another popular scam is now on the rise. The fake invoice or payment notice scam is where scammers send emails to business with demand for payment of an overdue invoice.
Below is an example of an email I have seen in the email inboxes of the domains I own:
As we are unable to connect with you over the phone.
Should we proceed Outstanding payment to this account in the attached invoice ?
The below invoice was forwarded to the account department this morning by our department.
Check the attached Invoice and confirm for a final confirmation of the details for the payment.
Awaiting your Quick Response.
Thanks & Best Regards!
international remmitance Department
Cephas MubenshiA copy of the email
The exact text differs, so do the names of the sender and the department they work for but the essence is the same. Your business “owes” us money for some unspecified service, the payment is past due, so pay up. A generic but professional looking invoice is often attached to give weight to the whole story. Sometimes the clever scammers include a convenient way for you to settle the bill e.g. via Visa/MasterCard or even PayPal. You click on the link and are redirected to a payment portal.
Does it work?
This seems so silly the first thing that comes to mind is that there is no way that would work. Every business has checks to prevent exactly these sort of things. “Fake billing” is easy to thwart but just like in the Nigerian Prince scam it’s all about the numbers.
Millions of emails can be easily sent out and even if less than 1% of potential victims fall victim, the scammer stands to have a big payday. Recently we wrote about how Pick N Pay was scammed out of about $22 million ZWL using a similar scheme although this one appeared targeted. That’s over US$180 000! All in return for mass sending emails.
How to thwart this scam
Businesses that are vulnerable to this sort of scam include:
- Small businesses without a proper accounting system or department.
- Government departments especially chaotic ones like the ones we have here.
- Partnerships were each partner enters into deals and contracts without telling others.
- Large well-known businesses that routinely outsource services.
- Businesses with a large number of employees with access to sensitive information.
In all these instances fake-billing can be thwarted by adopting proper internal controls such as the following:
- There should be a proper division of duties.
- Payments must be done by one department or person no one else should be in charge of initialising payments.
- Payments can only be made after being reviewed by another person or department.
- If it is a large organisation and you receive an email with an invoice for services said to be rendered to another department, call using known details to confirm this is true in fact, departments must send copies of invoices so they can approve them.
- Invoices must go through departments that benefited from the services rendered.
- Invoices must be accompanied by an internal work order.
- All contracts entered into by partners on behalf of the business must be subject to approval before payment is authorised.
The specific guidance each business must follow but International Standards on Auditing standard number 315 lays the groundwork and goes to great lengths to explain what should happen. Internal controls are not foolproof but they are hard to beat and most scammers will choose to just move on.