Invoice fraud is a threat to everyone. It occurs when criminals target a legitimate payment by a customer to a business, and redirect that money to another bank account.

  • Scammers may target you directly, by impersonating a supplier or subcontractor that you are expecting to pay. 
  • Or, they may contact your customers, pretending to be you, claiming that your bank details have changed to trick them into paying the wrong account. 

 

The scam will only come to light when it’s too late - either because your real supplier is chasing you for payment, or your customer is insisting that they’ve already paid you. 

Invoice fraud is categorised as an ‘authorised push payment’ or APP scam. It’s called that because victims are tricked into making the transfers themselves. UK Finance, a trade association for the banking industry, says that invoice scams accounted for 17% of all APP losses, totalling £81.9m in 2020.

Invoice fraud: the tactics

Scammers typically hack into your email account to intercept messages with customers and suppliers. This isn’t as difficult as you might think – your password may have been leaked online, for example, or they may have used phishing tactics to steal your login details. 

Once they’re in, they can search for messages about invoices you regularly send or receive, making note of the way you write and any other details that could help them impersonate you.

Armed with this information, they can then send fake invoices to your customers or suppliers – either by doctoring an existing invoice, or creating a new one – using their own bank details. 

Even without access to your emails, fraudsters may simply imitate your business name by falsifying the ‘sender name’ of an email, as you can see below. The real sender is shown in <brackets> here, and has nothing to do with Tesco Bank.

An example of a scam email from an address claiming to be Tesco Bank. The subject line is spelled incorrectly.

Michael Collins who runs Trusted Trader business 'Michael Collins Builders Ltd' in north London had never heard of invoice fraud before a scammer sent his clients fake messages from his email account in late 2019.

‘Two of my clients were in the IT business and thankfully both managed to intercept the fraudulent messages but another client unfortunately did lose money to the tune of around £2,000 and was trying to get his bank to compensate him.

My clients identified that I had absolutely nothing to do with the incidents and were kind enough to advise me on regularly changing passwords on my computer, phone and other sensitive apps.

I am much more careful now particularly with invoicing. I never send my bank details via text or email and now issue the details via WhatsApp or I pass them on verbally in their presence. I also never make any reference to certain words such as invoice, payment, money etc. especially on email sub headings. Almost always the client is most grateful that I carry out these precautionary procedures.’

How do I avoid invoice fraud?

Which? has teamed up with Friends Against Scams to keep you and your customers safe. 

We’ve created a factsheet full of tips, covering:

  • What to tell your customers about invoice fraud
  • How to protect your business
  • How to keep your online accounts secure

You can also print or send one of these postcards and template quotations to your customers.

What to do if you think you have been scammed

Contact your bank immediately and report to Action Fraud or Police Scotland (if you live in Scotland).

Secure any online accounts by changing the password. You should also warn all customers and suppliers who may have been sent fake invoices. 

Individuals and small businesses – employing fewer than 10 people and with annual turnover of less than €2 million – may be protected under the Contingent Reimbursement Model (CRM) Code

This voluntary code commits banks to reimburse victims of APP fraud, provided certain standards have been met. Which? has created a template letter that you can send to the bank if you’ve lost money to an APP scam. 

Nine of the largest current account providers have signed up to this code. 

If your bank isn’t signed up, you should still make a formal complaint, explaining what happened and that you are a victim of APP fraud. All banks must detect, prevent and respond to scams, under existing protections such as the Banking Protocol and anti-money laundering requirements.

Your bank should respond to complaints about fraud within 15 working days. 

If you’re not happy with their response, or they fail to give you a final decision in time, take your complaint to the Financial Ombudsman Service (FOS).

Stay safe: sign up for Which? Scam Alerts.