As a business owner, you receive many emails, including invoices from your clients or vendors. Unfortunately, that makes you a good target for scammers.
Have you heard about business invoice phishing?
The Federal Bureau of Investigation’s (FBI) Internet Crime Report referred to business email compromise (BEC) as one of the alarming issues in recent years.
So if you’re wondering, “Why am I getting fake invoices,” there’s your answer. Fraudsters are constantly developing ways to scam everyone, including businesses.
We looked into various identity theft sources online to learn how to keep your business safe against invoice phishing emails. We also read real-life stories of companies that experienced such crimes and what they did to overcome them.
During our research, we discovered the most subtle sign you shouldn’t miss. So, read until the end and avoid missing out on any new tactics criminals use to trick people into disclosing their information.
What is a business invoice phishing email?
In an email phishing scam, fraudsters impersonate business executives by creating look-alike email addresses, then sending fake invoices to suppliers or partners.
The emails may also include malicious links that contain malware or spyware, so even if a company doesn’t pay the scammers, the sensitive information of that business will still be compromised.
This type of fraud targets business owners, executives, and employees, as you can discover in one of the real-life stories, we’ll present.
ABC News talked to Jane Fleming, one of the victims of unpaid invoice email spam. Jane told ABC News that she’d worked with concreter Simon O’Donnell for almost 10 years, but this was the first time she became a victim of this scam.
Jane received a $51,000 invoice from Simon, but she noticed that the concreter changed his bank account details. She didn’t think of it as unusual because the sender showed a particular knowledge of the job.
However, after sending the $51,000, Simon told Jane that he hadn’t received the payment. It was already clear that Jane had transferred the money to a scammer.
According to Small Business Ombudsman Kate Carnell, companies lose an average of $10,000 due to this billing team email scam.
Also, in 2020, the FBI, through the Internet Crime Complaint Center (IC3), received 19,369 reports of BEC.
These numbers show that you can get scammed with an invoice, so it’s important to be vigilant whenever you receive similar emails.
In Jane’s case, she thought she was dealing with Simon because the scammer knew about their project. So how did he know about the said job?
The scammer might have hacked their computers remotely and redirected them to unsecure websites. Through this tactic, they accessed business files and gained information about the ongoing projects, particularly their invoicing details.
But what do the phishers want aside from money?
Phishers want to steal your personal and business information to commit fraud.
For example, once hackers know your Employee Identification Number (EIN), they can abuse your tax information, file false tax returns, and get refunds.
It’s also possible for fraudsters to access your sensitive information. As a result, they can apply for loans under your name.
However, they wouldn’t stop at your data because they can access your employees’ confidential information once they hack your business files.
What are the red flags that you’ve received a fake invoice?
You can avoid getting scammed when you know how to recognize the red flags. Here are important warning signs to keep in mind:
- A sudden change in payment details is one of the most subtle signs you shouldn’t miss. You must contact the supplier or business partner before transferring any amount or giving out business information.
- You received an invoice for something your company didn’t purchase. According to Olli Gunst, the Growth Marketing Manager of Hoxhunt, it’s important to contact the company that sent the invoice via a different means of communication to verify the legitimacy.
- Another subtle sign of a fake invoice is a suspicious link or attachment. Usually, emails from legitimate businesses don’t include URLs. They may contain attachments, but these are readily viewable, so you don’t need to download them.
- The sender asks for your sensitive information, like bank account number, personal email address, EIN, or SSN.
- Someone likely sent you a fake invoice when the email has poor grammar and spelling errors.
- The sender pressures you to pay immediately and threatens legal action if you don’t transfer funds as soon as possible.
If you notice anything unusual in the invoice email, don’t hesitate to contact your supplier or client to verify the details before you make your payments.
How to stop fake invoice emails?
In case you become a victim of invoice email scams, here’s how to stop these emails manually.
- Go to your inbox, then tap “Settings.” Look for “Privacy” or “Blocked senders,” then add the suspicious email address. This way, the suspected scammer won’t be able to message you again.
- You can also open the email, click the three dots located in the top right, then choose “Block sender’s email address.”
We also recommend reporting the sender to your email provider:
- Go to your inbox, then open the message.
- Tap the three dots located in the top right, then select “Report phishing.”
You must also file a report before the Federal Trade Commission (FTC) if you receive a fake invoice.
- Forward the email to [email protected], the Anti-Phishing Working Group of the FTC.
- Go to https://reportfraud.ftc.gov/, then click “Report Now.”
- Choose among the common problems, including:
An impersonator | Online shopping |
Job, investment, money-making opportunity | Sweepstakes, prize, lottery |
Phone, internet, TV service | Auto sale, repair |
Health | Credit, debt |
Just an annoying call | Something else |
- We recommend selecting “an impersonator” because of the nature of the invoice phishing email.
- When asked, “Who were they pretending to be,” choose “Well-known or trusted business” or “Your boss or co-worker.”
- The FTC will also ask you the following questions:
Did the scammer offer to fix a problem with your computer? |
How much money did you pay? |
How did you send the money? |
How did you first learn about the scam? |
- There’s also a textbox at the bottom of the page where you can tell other details about the incident.
- Click “Continue,” then type your personal information on the next page.
- Tap “Submit” after reviewing your complaint.
How to protect your business against invoice phishing emails?
Invoice phishing could have a detrimental impact on your business if you fall for them. Here are the best tips on how to prevent business invoice email phishing scams.
- Contact new suppliers to confirm payment details.
When you receive an invoice from a new supplier, it’s good practice to call them and ask if the details in the email are correct.
If the information matches with what you received, then you can send the payment. However, we recommend reporting the incident to your email provider and FTC if you notice discrepancies.
- Call previous suppliers if they change account numbers.
Scammers take advantage of business owners and employees who fail to double-check payment details.
That’s why if your previous supplier changed bank account numbers without informing you in a separate email, it’s best to contact them and ask about the new payment details.
- Set up two-step authentication (2FA) on your personal and business emails.
Hackers can steal passwords easily, so setting up 2FA on your email address can provide extra protection.
As a result, phishers will have difficulty accessing your files and messages that may contain confidential business data.
- Never open suspicious links and attachments.
Companies rarely send emails with links and downloadable attachments. Usually, they include readily viewable PDF files that you don’t need to download.
When someone sends you an invoice with a link, don’t open it. Instead, contact the vendor’s official telephone number or email and ask them about the email you received.
- Train employees to spot phishing scams.
Due to the rising business email compromise (BEC) cases, every company should have phishing awareness training. It helps to educate employees and executives to spot and prevent phishing attacks.
Is it easy to recognize invoice phishing emails?
Once you know the red flags to look out for, you can quickly spot email phishing scams and protect your business from them.
Take note that a sudden change in payment details and a suspicious link or attachment are the most subtle signs you shouldn’t miss. But in case you receive a fake invoice, forward it immediately to the FTC and tell them about the incident.