January 23, 2019

How E-invoicing Can Lower your Risk of Fraud

by e-invoicing Trends, Business Network, E-invoicing

Recently, nearly 35,000 CFO’s were subject to a targeted Phishing scam costing these organizations both time and money. Learn how e-invoicing can reduce your risk of fraud.

How e-invoicing can reduce fraud

How does it really happen?

Misusing the corporate hierarchy

A Phishing scam or Business Email Compromise (BEC) attack happens when an attacker gains access to a corporate email account and poses as a company insider such as a CEO or CFO. Using this assumed identity, they then attempt to defraud the company, its employees, customers or partners of money.

A typical attack may be an email which is sent by the criminal using the CFO’s identity where he asks someone in the finance department to send an urgent payment to a supplier. The employee feels pressure to comply with the CFO’s request without properly following the typical payments process. The supplier name seems relevant so the payment is made, resulting in a loss to the company.

Intercepting emails

A slightly more complicated approach is for the criminal to observe and intercept ongoing email communication between the business partners. Once the criminal has found an ongoing business transaction, they will attempt to defraud the companies in several different ways.

One way is to intercept an email and change the bank details on the real invoice. Alternatively, if the invoice has already been sent, they may send a phishing email and ask the buyer to pay the invoice to a different account than normal.

In both of the cases, criminals use email spoofing to make the email address seem credible. As a result of this, the invoice is paid to the wrong company and wrong account because the recipient trusts that the invoice comes from a legitimate source.

Abusing invoice approval processes

Invoice handling can be an expensive process therefore many companies have an automatic approval process for invoices below a certain amount. In these cases the criminals are usually using e-mail addresses or supplier names that are extremely close to one of your current suppliers. For example, they may pose as an IT maintenance or server supplier. This makes it easy for people to automatically approve small invoices.

Lately I was under attack of email invoicing related crimes on my own - I happened to be in the address book of the person whose computer was infected with a virus and it was sending out payment reminders. Although this time the target was to steal my identity, still I would put it to the same package with other email invoicing related crimes

Misperception of email invoicing cost

Email invoicing is considered to be a very cost effective and simple way for invoicing which is affordable for everyone. Is it really so? Since there is an increasing number of cases where email scamming is used for invoicing related crimes, corporate IT departments are under  pressure to create more secure email channels. It’s their job to provide security for these types of attacks. All these actions can result in some unintended consequences.

Your IT department may be increasing the cost of e-mail invoicing. This is done either directly, by increasing IT security costs or indirectly as their activities may also cause actual supplier invoices to be quarantined and sent to spam. When invoices aren’t delivered, they aren’t paid and this can prove costly for both sender and receiver. It causes late payment fees, affects cash flow for suppliers and takes time from customer service to solve the issue. So you should remember that e-mails aren’t a guaranteed delivery method for invoices.

Amount of direct monetary losses to payment fraudSource: PwC’s Global Economic Crime and Fraud Survey 2018

There is a better way

The best way to ensure legitimate supplier invoices are paid on time is with E-invoicing. Structured invoice data can be exchanged directly between buyer and supplier and the information uploaded directly to the Accounts Payable invoicing system. A trusted service provider together with a trusted chain of traffic is a guarantee for the Network.  This mitigates the risk of a BEC attack.

Of course the benefits don’t stop there.

E-Invoicing will not only mitigate the risk of your company losing money to attacks, but you’ll be saving money by automating what is typically a very manual process, as well as reducing the number of errors which can result in increased costs and processing lifecycles.

As the number of attacks increase, companies need to take a multi-pronged approach to ensuring security. So with true E-invoicing, where a service provider's network is used to send and receive your invoices, you significantly decrease the risk of becoming a victim of financial crime and also gain the benefits of process automation.

I do agree with people who tend to say that today’s solution are more in favour of big corporates and considering less the interest of SME’s. That still shouldn’t target us to select not-trusted solutions which seemed to be free of charge. We should target for affordable (financially and process wise) SME solution.

One may ask, why email is so popular tool in executing financial crimes then I believe that the answer is there are no transaction cost for the criminal. It is so cheap to try to commit the crime and therefor you can do it in wide scale. But it doesn’t mean it is cheap to maintain the service. At the end of the day there is no bad without good - isn’t the money you need to pay to your service provider small compared to the fact that you can sleep peacefully during the night time.


Ahti Allikas

Ahti Allikas
Ahti Allikas has been active in the e-invoicing industry since the year 2000. He currently works as Head of Partners and Networks at OpusCapita, and is responsible for the development of the e-invoicing ecosystem. Ahti is a member of the executive committee of the European E-invoicing Service Providers Association (EESPA), member of management committee of the OpenPeppol Association (PEPPOL) and also member of E-Invoicing expert group in the European Multi-Stakeholder Forum on E-Invoicing (EMSFEI).


Read more blog posts about E-invoicing