Spotting and Stopping Invoice Redirect Fraud
Between 2013 and 2015 a team operating out of Lithuania stole over 100 million dollars from Facebook and Google. Perhaps the most shocking detail is that they didn’t “steal” this money secretly. They asked for it directly in emails and invoices. By impersonating a company that Facebook and Google were used to working with, this company was directly paid large sums of money straight from these giant tech companies.
This modern scam, technically labelled invoice redirect fraud, represents a threat to all companies. In today’s fast-paced world, companies may not be taking the time to double check every invoice and email that comes across their path. Thankfully, there are practical steps you can take to mitigate these risks.
On this episode you’ll hear:
- The different forms invoice redirect fraud can take
- Real examples of this behavior
- Ways fraudulent actors might be accomplishing these scams
- Practical steps you can take to protect yourself and your company
- The importance of being proactive and preventing this
- Insurance options that might protect you
- The most negative outcomes that have occurred because of these scams
If you’re looking for cutting edge practices that will protect you and your company from fraudulent invoices, then this is one episode you won’t want to miss!
- Invoice Fraud and How to Prevent It
- Free Chapter of “Profit Leaks” by James Kennedy and Garret Carragher
Transcription of This Episode
The Gross Profit Podcast is your one-stop shop on the path to profitability. Each week we share authentic advice on the positive practical steps you can take to make the company you love more profitable. If you’re looking for a positive plan to help you avoid common spending mistakes, control costs, and increase your profits, then this is the place for you.
I’m Ryan Cowden and this week we’re joined by our host James Kennedy of procurementexpress.com, and Mike McGrath of Arvo. In this episode of The Gross Profit Podcast, James and Mike discuss ways you can recognize, and prepare for invoice redirect fraud.
Between 2013 and 2015, a team operating out of Lithuania stole over $100 million from Facebook and Google. Perhaps the most shocking detail is that they didn’t steal this money secretly, they asked for it directly in emails and invoices, by impersonating a company that Facebook and Google were used to working with.
This team received large sums of money straight from these giant tech companies. This scam, officially known as invoice redirect fraud, represents a real threat to modern companies. In today’s fast paced world, companies may not be taking the time to double check every invoice and email that comes across their path. Thankfully, there are practical steps you can take to mitigate these risks.
On this episode you’ll hear the different forms invoice redirect fraud can take. This fraud commonly occurs when companies receive fake emails and invoices that are similar to their actual clients.
Next, we’ll hear some real examples of this behavior, such as creating fake accounts that spring up and disappear as soon as the money is received. Then we’ll cover ways fraudulent actors might be accomplishing these scams. These scams might be the result of hacking, but often take the form of fake contracts or purchase orders, as well as requests to change details on invoices.
After that we’ll go over some practical steps you can take to protect yourself and your company. It will take more time, but if you insist on two sources of verification, and go over changes on the phone with your clients, you can do a lot to prevent this sort of fraud. James and Mike will cover the importance of being proactive and preventing this. It’s important to act quickly, or the money might be gone forever.
And finally, James and Mike will also share some insurance options that might protect you and cover some of the most negative outcomes that have occurred because of these scams. If you’re looking for some cutting edge practices that will protect you and your company from fraudulent invoices, then this is one episode you won’t want to miss. There’s a lot of actionable advice in this episode, so grab something to write with, because you’re going to want to take notes.
As always, I’ll be back on the other side to wrap up any loose ends. So without any further ado, here’s our conversation with James and Mike.
Welcome to The Gross Profits Podcast. My name is James Kennedy. I’m the CEO and co-founder of procurementexpress.com. We help hundreds of companies spend billions of dollars each year, and on this podcast we bring you the latest news, tips, and advice, on creating a more profitable company, i.e. cutting costs, reducing overhead, overall making your company thrive.
So today, I’m honored to have with me as a guest Mike McGrath. Mike is one of Ireland’s foremost procurement consultants. Works with a full range of companies, public and private sector. And thanks very much for being on the call today, Mike. Maybe you could just introduce yourself a little bit.
Morning James, I’m delighted to be here. Thank you very much. As you mentioned, I represent Arvo, a procurement business in Ireland. We help organizations both in the public and private sector to reduce risks around procurement, reduce costs, and to improve compliance. So delighted to be here and help your colleagues and network improve their profits in their business.
Great. Now that we’ve paid the bills, let’s have a chat. Today we are going to talk about how one guy stole $99 million from Facebook and how could that potentially happen to your business as well. I guess your business would need to have $99 million in the first place, but this is a very interesting topic, Mike.
It is. It’s very timely. There’s been a lot of media attention over the last couple of years of, I suppose, fraudulent payments or embezzlement and I think the technical term across the police force is invoice redirect fraud. So where companies are, I suppose, under attack from people that are soliciting fake contracts, fake invoices, forging purchase orders, et cetera. And the whole idea is they’re diverting cash from a legitimate business to a non-legitimate business or non-legitimate source.
So it’s corporate tufts and it’s happening throughout the world. Facebook and Google were both affected between 2013 and 2015 over a hundred million dollars was stolen by one guy, which is amazing. And he went to a lot of extents to get that funds transferred from those significant tech players to enter his bank accounts. Now I believe he has been apprehended and extradited to the States and they’ve recovered half the money. I’m not sure what happened with the other half.
It blows my mind this because, I mean, there’s so many things that you think would have… I mean, stealing $1,000 I can see how you can get away with. Sure, there’s all sorts of checks that most have gone off. First of all, $100 million coming into this Lithuanian guy’s bank account. Did on one ever notice that they were missing 99… Someone else must have been missing $99 million worth of services, right? That’s how these frauds normally work. You sort of impersonate someone else or was this just totally phantom services that he was providing?
My understanding, it’s been a bit of both. So he cloned an actual supplier of Google and Facebook. He pretended to be a hardware manufacturer in Asia that they both used. He did get access to legitimate invoices and he changed the details to suit his. And he set up a company, forged the entire aspects of it, and had emails, contracts, purchase orders, you name it. He actually had emails from Facebook and Google executives to other people in Google and Facebook saying that this needs to be paid urgently.
So it’s a very sophisticated attack. It’s the nature of online or IT scams at the moment, still getting more and more sophisticated. And what purports to be true is not always true. But this is an example which I would say is affecting Google and Facebook. We’ve seen it more locally, but smaller businesses where 50,000 to a $200,000 has been stolen and similar protests takes place. Sometimes it’s a request to change bank details. Sometimes it’s a request from someone in finance or their superior, or there’s one Irish public sector body who got a new CEO and within a couple of days he supposedly sent an email to the accounts and finance team to pay a supplier X, Y, Z immediately. And when it turned out that he never actually sent that email, it was completely forged, but the accounts and finance did not hesitate. They just paid it as it seemed to come from a new CEO and no one was going to question.
So it’s not just, I mean, it makes you despair a little bit like if Facebook and Google can get taken out with this, smaller organizations with less resources are also at risk I guess as well. So in that example you talked about there, I mean is this something that you have seen your own clients fall victim to or…
Yeah, we’ve heard of cases like this and truth be told, we know that it happens and there’s different variations. One client of ours had a supplier who legitimately changed physical location, so to change office location, which was probably in the media and somebody decided to contact their clients and say that their roles had changed in their bank details, which if you weren’t really studious about the whole thing might actually happen.
So when they changed the bank details on file and processed some payments to these new bank details, which were illegitimate, which were fake, the funds were transferred and it’s only when the actual company came looking for their invoice or central statement a month later, it turned out that the payments were made but not to the right company. And in that situation, typically the funds are gone. If it’s noticed quite quickly, if it’s notice within 24 to 48 hours there may be some recourse, and I know that police forces have digital detectives these days working these cases. So it may be that the funds could be recovered, but if it’s a couple of weeks, then they’re typically gone.
So in order to do this, let’s say I wanted to target Arvo and pay for my holidays this year, it’s as simple as I go down, have a meeting with Mike in his office or hang out with you somehow, wait for you to put down your phone, pick up your phone, now I have your email. Now I can email your finance department with a, I guess, legitimate request or I can just boost your email in the first place?
Correct? Yeah. Now, you don’t have to come to visit the Arvo office. A hacker can get to the email server or get the online access to different systems and purport to be an employee of Arvo or a supplier of Arvo. You can forge… You could possibly through email, it’s not the most secure communication, get access to contracts, purchase orders, invoices. You could change the details, you can make a request to change the details. It all takes a bit of time. But no doubt, I’m sorry to say we don’t have 99 million for your holidays, but if the…
Well, I mean you see, I don’t know if you’ve seen in the news recently about these deep fakes. Now you can get videos of people, you can put one person’s face on someone else’s, make a video. So if you can do that, the repercussions are terrifying. But even just with your email, there’s a lot of damage. I mean, what are the steps you can take to combat this risk in our organization?
What we’ve been doing it, and it’s about better management of your suppliers, or deceiving your own security. It’s reviewing the steps involved to set up a supplier. It’s looking at what checks and controls you could make your own change of bank details, changing supplier invoices, changing addresses. So typically it’s quite simple in the sense that if you do a practical step wanting that, what I actually would suggest to do is, if there is any requests from any suppliers to change your details, that you verify it with them over the phone, so if it comes in an email, you can accept it and acknowledge it, but verify it over the phone that it’s actually a legitimate request. Or if it comes via the phone, you’re verified by email or vice versa.
So it’s just kind of double-checking, two-way verification that it’s a legitimate request. It takes a bit more time. And also if you a lot of suppliers and those change is happening, it takes a bit of time to do it. But again, the costs to do that are much better than paying somebody incorrectly.
Well, it all depends on how much time and resource you have into managing all this, because let’s face it, I have not spoken to most of my suppliers over the phone before, right? Especially if I’m in the finance team, I’m not dealing with the suppliers. I can ring them up and ask them, “Is this really your banking details?” But who knows, maybe my phone system’s been hacked.
But I guess your point is that you need two points of authentication independent of one another. So just like when someone rings you up on the phone and start asking for your social security number or your date of birth, don’t give them that information. You have to be able to know exactly who’s calling you.
Exactly. Exactly. It’s going to take a bit of time, but it’s definitely worth it until an alternative payment method that’s legitimate emerges.
Well, it’s funny because at the moment we’re writing a book on procurement express, about all the different types of spending mistakes that can be made. And really in the process of doing that, it struck me that there’s categories of big spending mistakes which really impact on ballooning costs. Now we all know that getting a good price, getting three quotes in… But there’s this other category of risks which are there, which can in some cases be big enough, significant to certainly damage the company if not destroy it, is that if you’re not proactive about them, you are at risk of this type of fraud.
So, even though it’s easy to put a process in place for let’s say getting three quotes, because that kind of makes sense because you do it every day. I guess you have to convince the management that it’s worth investing in the process to guard against these types of risks before they happen because after they happen, it’s too late, right?
Yes, and we would see the companies that actually have been targeted are obviously much more clued into this and more proactive than those that have not. And very noticeable from our engagement with them and the process and policies and procedures they have. You could actually almost tell without knowing what has happened in the past by some of the processes and steps involved. And again, that’s just part of learning.
It’s unfortunate there has been a cost for them to put in best practice as opposed to us and the companies that they should have better practices and they’re kind of going, “Well, that’s not really going to happen.”
But it’s human nature. Human nature, you’re only going to deal with the big issues once you’ve been bitten effectively. I guess you’ve got to look at your company and decide, well, what could you afford to lose? What percentage of spend can you afford to take a hit on? Which suppliers are you really cutting the big checks with? So perhaps you should be categorizing your span, your suppliers into the ones that got highest volume. Those are the ones that obviously you have the highest exposure to risk in terms of this type of fraud. If you have thousands of suppliers, might not be practical to validate the payment details and every change, but certainly on your top 10 or a hundred suppliers, they should be treated differently to everyone else because they have the ability to make significant impact on your business.
Is there any sort of insurance you can get to guard against this sort of thing?
There is a trade risk insurance, but I’m not sure if it covers this type of payment or this type of crime. There’s trade risk insurance that if I source and buy goods, ship them to Europe and they don’t arrive, then there’s insurance against that, whether they were, well, off the ship or whether there was tufts involved or whether they were never shipped in the first place. There is insurance on that, which is quite common plays, but would we ask this type of payment, I’m actually not sure.
I know there’s another guest I’ve had to mention, a company he was dealing with had errors and omissions insurance, and this is in the US. And that did help them out when they got hit for this in the past. So it’s probably worth talking to your insurance agent to see what can be done for that. What’s the most negative impact you’ve seen for a company which has been hit with this kind of attack?
It’s the funds disappearing. It’s having no recourse. If it’s a matter of weeks, the bank account is closed, the money is gone. There’s no trail. And having then to go and pay the legitimate supplier, the invoice that was bid, it’s obviously the cashflow in that.
I hadn’t even thought of that because you’re not just losing the initial amount, you’re still liable to pay that at the supplier. So you’re actually, well, you’re paying for something in that case at least, but you’re going to-
The money is gone. It’s not just tufts, their just taking the money in their bank account. And unless it’s noticed very, very quickly, it seems to be that it’s very hard to recover afterwards. We have had cases and we have clients who have had 50% or 60% of the funds recovered within 24 hours. But it’s very proactive stuff and it’s really getting out to the local police force and Interpol as quickly as possible to get that back.
That’s the thing. I mean, most of these are cross country payments, right?
That’s the symptom of this. So maybe that’s another warning sign. If you see these cross country… Now, especially in Europe, the borders are so open, the banking is so interconnected, it’s pretty usual to be making cross border payments. Within Europe certainly. But you’ve got to keep an eye out for them.
So Mike, for listeners for this podcast who may be at risk or their company may be at risk of this type of activity, what’s the simplest advice that you could give them that they could use in their business today?
There’s a number of steps. I mentioned already the fact that to check any changes in controls or changes to supplier invoices online and offline. So if you get an email request to make a change, you pick up the phone and find out if it’s legitimate. But also, even the fact of using purchase orders. As you’d know a lot about James at Procurement Express, the fact that there was a contractual document in place, that an invoice coming in, they can be matched to it. It helps a person just impersonating an email or an invoice. At least it’s more factual.
Also separating the duties around accounts payable and accounts receivable and actually the person that is managing the supplier. Just making sure that there is approvals and steps and that there’s a legitimate paper trail which can be verified. And be that on a system or be it through email of paying actual legitimate invoices and original invoices or posted statements, is important as well. Statements can be fabricated and certainly the timing of those can often trick people as well, especially when the account function may not be hands-on in terms of what the project is.
So there’s a couple of tips there and again, reviewing the overall process of setting up suppliers and processing payments, having a look at the procurement policy. If there’s none in place, put a quick policy in place to manage all those steps and make sure that there’s common, sensible, practical steps involved to make sure that legitimate suppliers are paid effectively and the fraud disappears.
Great. Well, thanks very much for that. I guess that comes down to training oftentimes for your staff. A few are wondering how to train your staff. I have a resource available for you to help you with that. If you go to book.procurementexpress.com, you’ll find this topic along with 49 other topics related to improving the profitability of your business where we cover fraud embezzlement and a range of other topics. There’s a free chapter available specifically on embezzlement actually, so I’d recommend the listeners go and download that chapter. And at the very least, give that to their finance team to read over so that they can take advantage of some of the advice provided by Mike there.
Thanks very much, Mike. Where can people find you online? On what sort of person specifically can you help the most?
I’m on LinkedIn personally I suppose. We work with a lot of CPOs and CFOs, so the head of finance or head of procurement. Obviously the website as well, arvo.ie has a range of service offerings.
Great. Well, thank you very much, Mike. That’s very insightful. Thank you very much for taking the time to speak with me today. That’s all from the Gross Profit Podcast. Again, check out our book, book.procurementexpress.com, and I’ll see you next time.
Sounds good. Thank you, James.
All right, folks, there you have it. That wraps up our conversation with James Kennedy and Mike McGrath. He shared a ton of valuable insights and advice today on how to spot and prevent invoice redirect fraud. We also shared some tools and resources which will all be linked up in the show notes. I hope you enjoyed our conversation. Please consider subscribing, sharing with a friend or leaving us a review in your favorite podcast directory. Until next time, best of luck in all that you do and we’ll look forward to seeing you on the next episode of the Store Builders Podcast.