Invoice fraud is a business fraud wherein scammers send fake or falsified invoices to businesses.
What Is Invoice Fraud? Examples & Prevention
This article is part of a larger series on Bookkeeping.
Discovering invoice fraud is alarming, especially for businesses relying on technology in their operations. Without understanding what invoice fraud is and how to prevent it, you’ll be at a higher risk of falling into these traps. In this article, we’ll discuss the different kinds of invoice fraud and give you some tips on how to prevent it from proliferating in your business.
Examples of Fraudulent Invoices
There is a wide spectrum of what is generally called fraudulent invoices.
What It Is | Example | |
|---|---|---|
Fake Invoice | Is completely fake and from a company that doesn’t exist | An invoice that appears to be from one of your vendors but is actually from scammers trying to steal your next payment. |
Phishing Attack | Is a request for payment that doesn’t include an actual invoice but is rather an email phishing for your banking information | An email claims to be from someone within your company and requires you to send payment immediately. |
Bill Padding | Is the most disturbing invoice fraud—and the hardest to spot—that intentionally alters the quantities, prices, and amounts of your order | An invoice that is sent by your actual vendors who are charging you an inflated amount. |
Duplicate Invoice | Is an exact copy of a previously received invoice that can be sent by mistake or intended to be fraudulent | An invoice that is sent by your actual vendor that looks exactly the same as a previous invoice but with a different date |
According to Abnormal Security, invoice fraud rose by 137% in 2023, making it a constant threat to most businesses. Since companies are shifting to digital systems, more and more operations—including yours—can be victims of invoice fraud, regardless of the business size, so we recommend you take action to prevent fraudulent invoices.
A fake invoice is a manipulated and fictitious invoice that appears to come from a legitimate supplier, but the fraudster has altered the payment information. Sometimes the fake invoice provides a link that redirects you to a suspicious website that can hack your credit card information.
In some cases, the payment details don’t really belong to the seller, but rather to the fraudster’s bank account. This means that the money will be wired directly to their accounts once you pay the amount.
Examples of these techniques include:
- Fake URLs or links that may seem correct at first glance, such as:
- www.paypall.com
- www.bankofamericca.com
- www.googel-support.com
- www.amaz0n.com
- Fake email addresses that don’t seem to look legitimate, like:
- support@paypal1.com
- amazon_billing@gmail.com
- security@gooogle.com
- costumersupport@bankofamerica.com
Fake invoices are typically sent using those fake email addresses above. If you’re not careful about reading and scrutinizing the spelling of the email, you’ll definitely fall for these schemes.
An invoice in a phishing email usually asks victims to divulge login information and passwords. Invoices in phishing emails are also examples of fictitious invoices. However, other phishing scams use familiar names within your company to trick people into making wire transfers or payments. Below is an example of a phishing email that I received a few months ago.
Sample Phishing Email
When I first saw the email, I immediately recognized it as a phishing email because:
- Gmail tagged the email as External when Rebecca is actually an employee at our company
- There is no profile picture in the email
- The email body is not properly formatted
- My name is not mentioned in the greeting
- The email address is “officereport@sapo.pt,” which is not our organization’s domain name
- There are glaring typographical errors in the email, such as:
- “Can we setup an outgoing wire transfer for a new vendor today?”
- “The invoice is past due, Can this be completed today?”
- The email was sent using MS Outlook, and our company uses Google
Moreover, the scammer is asking us “to confirm the receipt” of the email before sending the payment information. Asking for acknowledgment is a form of bait—if the victim confirms the receipt, the fraudster can safely assume that the victim is unaware that the email is fraudulent. Moreover, the fraudster intentionally does this to keep the initial email simple and believable, which reduces suspicion.
Bill padding is invoice fraud that intentionally alters the quantities, prices, and amounts of your order. The invoice here is legitimate, but the information on the invoice is wrong. It’s called bill padding because the prices or amounts are intentionally inflated.
Below are several examples of bill padding:
- Altering the price (e.g., the original price is $109.99, but the invoice price is $199.90)
- Altering the quantities (e.g., the original quantity is 234, but the invoice quantity is 243)
- Miscalculating totals
- Adding items that were not ordered or services not performed, especially if the invoice is long and has many listed items
- Exaggerating charges (e.g., a taxi ride that costs $200)
If you catch your vendor doing this, we recommend firing them or seeking legal action if the amounts involved are significant.
Another example of fraudulent invoices is duplicate invoices, which trick the business into paying twice. If your business handles hundreds of invoices per day, you’re at a high risk of paying duplicate invoices. However, some vendors send invoices twice due to errors. Individual verification and examination is the only way to ascertain whether the invoice is fraudulent or not. When in doubt, reach out to the supplier to clarify the invoice.
Things to Do When You Suspect an Invoice to Be Fraudulent
Whenever you suspect an invoice to be fraudulent, you need to remember the mnemonic SIT DOWN.
Stop and Proceed With Caution
When you suspect an invoice is fraudulent, don’t act hastily. Even if it’s from your manager or CEO, don’t click any link on the email or send payments. If it’s very obvious that the email is fake or phishing, report it using your email hosting provider’s reporting tools.
Inspect Invoice Information
If you’re still unsure if the email or invoice is fraudulent, try to inspect the invoice information. Here’s what you need to check right out of the gate:
- Presentation of the supplier’s name. Subtle differences may exist, such as the following:
- Co. vs Company (e.g., Ford Motor Company vs Ford Motor Co.)
- Ltd. vs Limited (e.g., Tesco Stores Ltd vs Tesco Stores Limited)
- Inc. vs Incorporated (e.g., Apple Inc. vs Apple Incorporated)
- Corp. vs Corporation (e.g., Oracle Corporation vs Oracle Corp.)
- & vs And (e.g., Procter & Gamble vs Procter and Gamble)
- With “the” vs without “the”: (e.g., The Coca-Cola Company vs Coca Cola Company)
- Overall look of the invoice. The look of the invoice may also tell if it’s fraudulent or not.
- The formatting is different from past invoices from the same supplier
- The invoice design doesn’t look professionally edited
- The invoice uses different kinds of font styles and sizes
- The invoice contains incomplete information
Test with Other Source Documents
Another way to detect fraudulent invoices is to perform three-way matching. If the invoice is legitimate, it must match other source documents such as the purchase order and receiving report. If there is no supporting document related to the invoice in question, then the invoice is fraudulent. A three-way match can catch most fraudulent invoices and should be performed at all times.
Detect Glaring Errors
An invoice must be professional and presentable. Being professional means that there must be no glaring errors in the body of the invoice. If you can see any right away, that’s already a red flag. Here are some examples of glaring errors:
- The supplier’s name is misspelled or has unusual characters or spellings, such as:
- Fords Motors instead of Ford Motor
- Amaz.on instead of Amazon
- KellyConsulting instead of Kelly Consulting
- The Good Guys instead of Good Guys
- Ch1cken Company instead of Chicken Company
- Coffee Time ! instead of Coffee Time!
- There are grammatical errors, like:
- Articles (e.g., we are expecting an payment)
- Prepositions (e.g., the payment is due in Thursday)
- Sentence fragments (e.g., attached below invoice for June)
- Tenses (e.g., please settle today because payment must be made yesterday)
- Capitalizations (e.g., please send Payment)
- The items listed in the invoice are misspelled
Obtain Supplier Confirmation
When in doubt, reaching out to the supplier is always a good option. Asking for clarification can save you a lot of time. However, do so only when there’s significant doubt about the legitimacy of the invoice. We don’t want to constantly bother vendors by verifying every invoice.
Watch Out for Duplicates
When you process multiple invoices, some fraudsters and scammers can take advantage of this by sending duplicate invoices, hoping that they’ll get buried in the pile of unprocessed invoices and eventually processed for payment. The only way to catch duplicate invoices is to always enter the invoice number in your accounting system and look for existing invoices.
Checking for duplicates must be a standard practice when reviewing invoices. Most accounting software will automatically warn you when you enter a duplicate invoice number from the same vendor. If your vendor doesn’t include an invoice number, tell them your company requires one to approve payment. It is very poor practice not to have an invoice number.
Notify and Report the Incident
Whenever you encounter suspicious invoices and emails, report the incident to the appropriate person for further investigation.
- Phishing or fake emails: It’s always good practice to report them to your business’ IT department. You can also report the email directly to the email hosting provider so that they can flag it and mark it as spam.
- Inflated invoices: You should report the concern to your manager or supervisor for further investigation before reaching out to the supplier.
- Duplicate invoices: Review first the information in the invoice. If you see fraud red flags in the duplicate invoice, report it to your manager or supervisor for further investigation.
Preventing Fraudulent Invoices
Preventive measures can keep scammers at bay. If your business has these measures in place, it can be easier to detect fraudulent invoices and emails.
Establish Strong Internal Controls
Internal controls are a direct deterrent to fraud, but you can’t eliminate it. Collusion can override internal controls and render them useless. The best preventive internal control for fraudulent invoices is approval controls, which include a set of steps and procedures that carefully review each invoice sent to the business. It might involve the following:
- Having two or more people review invoices
- Using accounting or specialized software to fully automate invoice processing and encoding
- Performing a three-way match when initially reviewing invoices
- Getting to know all vendors that do business with you
- Establishing an approval hierarchy
- Verifying information with suppliers when necessary
Enhance IT and Application Controls
Internal controls over accounting processes aren’t enough. You also need to establish strong controls over IT and business applications. It means that all business devices must have the proper protection against hackers, scammers, and malicious software.
Having IT experts in your organization can help keep threats at bay and ensure devices work properly. In enhancing your business’ IT security and controls, here are some things to keep in mind:
- Enforcing proper password hygiene
- Using a secure password management system
- Requiring multi-factor authentication when logging in to business accounts
- Issuing company laptops to increase protection against malicious software
- Conducting periodic security checks and audits
- Encrypting data in a timely manner
- Performing data backup
Train Employees
Even if you have good controls in place, all will be useless if your employees aren’t trained properly to adhere to these controls. For invoice fraud, your goal is to train your employees in the following areas:
- Identifying and recognizing fake invoices
- Cybersecurity and fraud awareness seminars
- Phishing and social engineering tactics and schemes
- Best practices in password health and safety
- Software training for automated invoice tracking and processing systems
Scammers prey on employees who are quick to respond to emails or click links. While some employees are cautious, there’s still a chance that at least one employee will take the bait. And when the scammer or hacker gets into your system, your data is now compromised. That’s why adequate employee training is necessary to prevent fraud from proliferating.
Some businesses make a game of spotting scam emails. IT departments send out fake emails that employees are expected to report. While it’s a serious concern, it can be fun to see who reported the email and who fell for the trick. Knowing their own IT department will try to trick them can keep employees vigilant.
Conduct Regular Audits
Audits help you identify potential weak points in your system. If you don’t review your system, you’ll never know which areas are highly exposed to fraud. You can hire an independent auditor—preferably a CPA specializing in IT systems audit—to look at your business’ IT infrastructure. However, if you suspect that there’s fraud in your business, hiring a fraud examiner or expert is more appropriate.
However, for small businesses that are too small for complex IT systems, hiring an IT expert is more than enough. The IT expert should be knowledgeable in maintaining the business’ IT system and spotting potential weak spots that scammers and hackers can take advantage of if discovered.
Frequently Asked Questions (FAQs)
Yes, invoice fraud is a criminal offense. Depending on the nature of the fraud and the amount involved, you can be imprisoned for several months to years because of invoice fraud.
You can provide invoice fraud by gathering evidence and information about the fraudulent activity. It might involve looking at old documents and cross-referencing different data found in your accounting system.
There are several red flags for invoice fraud. The easiest way to spot a fraudulent invoice is when there are glaring errors in spelling and grammar. Another red flag is when the invoice comes from someone within the company (e.g., a manager or CEO) asking you to send payment. Strange email addresses and domain names (e.g., @goog.le.com or officereport@sapo.pt) are also possible red flags for invoice fraud.
Bottom Line
Invoice fraud can cost your business thousands of dollars of losses if left unchecked or addressed. That’s why having proper internal control and fraud awareness training in your organization can help minimize the instances of fraud.
