Companies large and small expend a lot of time and effort shoring up their data-security defenses.
But scammers, ever vigilant, can go through the side door as well, exploiting accounts-payable departments with invoices for goods and services that are unwanted or even nonexistent. The goal is to fool or pressure an employee into cutting a real check for a fake charge, which can cost your business hundreds or even thousands of dollars.
Some of these grifts are as old as paper itself. The Federal Trade Commission lists five common ones:
- Directory listings: Con artists bill a company for being placed in a nonexistent online directory or phone book.
- The Supply Swindle: A phony vendor invoices for anything from printer toner to cleaning chemicals. Sometimes a “free” sample is mailed, and if the company doesn’t send it back in a timely manner, the scammer sends a follow-up letter insinuating the company has agreed to purchase said products.
- The URL Hustle: Business gets a notice that its website domain is about to expire, with the imminent threat of losing trademarks if a fee isn’t paid immediately.
- The Charity Con: An invoice indicating a purchase in a calendar or guide from a seemingly legit charity (think suffering children) could provide an accounts manager with an extra enticement to pay quickly.
- The Check Cheat: Business gets a check from an unknown entity purporting to be a company, government agency or nonprofit. It’s cashed, prompting a contract stating the business has now signed up for a recurring service it neither needs nor wants.
A fake invoice might include urgent or threatening language (“90 days past due"), and include plausible-looking letterhead and iconography (the Yellow Pages “walking fingers”). The hardest-working scammers know your address, your suppliers, and the boss’s name.
CyberScout received an invoice for a full-color advertising insert. Cost: $3,495. The invoice looked legitimate and on high-quality stock letterhead. It listed the company’s CEO as the “approver.” It employed a word salad of techy-sounding terminology to describe the directory the ad would go in. But a closer inspection of the fine print revealed that the invoice really was a sales pitch for said service, which would “only be confirmed when payment has been received.”
As the Minnesota attorney general’s office noted in this informative post, federal law prohibits solicitation of goods and services masquerading as an invoice.
Other tips to avoid getting hoodwinked:
- Train employees to keep their guard up. cross-check orders with invoices. Match account numbers to ensure a vendor is legit. Beware of companies that don’t provide a phone number.
- Create a process for vetting invoices. Before issuing payment, coordinate with the person assigned with stocking products and hiring services.
- Don’t open attachments from unknown senders of invoices; they might contain malware or ransomware. Then you’ve got a whole new host of problems.