Invoice fraud is a major risk for small and medium-sized businesses (SMBs). Recently, a construction company in Victoria lost over $900,000 when scammers altered bank details on a legitimate invoice sent from a compromised email account. This highlights the need to take active steps to protect your business against fraud.
SMB1001 Certification, a cybersecurity standard, tackles this issue through its requirement 4.2: “Implement a policy with procedures to manage invoice fraud.” Here’s how you can meet this requirement and protect your business.
How the Scam Worked
In this case, criminals accessed a supplier’s email account, altered an invoice’s bank details, and sent it to the victim company. Thinking it was legitimate, the company paid the scammers directly.
Key points to note:
- Compromised email: Hackers accessed the supplier’s account.
- Altered invoice: The scammers replaced bank details with their own.
- Realistic appearance: The invoice came from a trusted email and looked authentic.
Practical Steps to Prevent Invoice Fraud
To comply with SMB1001 requirement 4.2 and protect against invoice fraud, consider these steps:
Verify Invoice Details
- Double-check all invoices, especially when bank account details change.
- Use trusted communication channels, like a phone call, to confirm changes with suppliers.
Strengthen Email Security
- Enable multi-factor authentication (MFA) on email accounts.
- Use tools to detect phishing attempts and compromised accounts.
Train Your Team
- Teach employees how to spot suspicious emails and scams.
- Run regular tests to check their ability to recognize fraud.
Maintain Strong Supplier Relationships
- Regularly review supplier information and update records.
- Consider implementing a digital trust program with your suppliers.
Use Secure Tools and Systems
- Install antivirus software and firewalls.
- Keep all devices updated with the latest security patches.
- Use password managers to protect accounts.
Plan for Incidents
- Create a clear fraud response process for your team.
- Conduct vulnerability and penetration tests to identify weaknesses.
How This Fits with SMB1001 Certification
To meet SMB1001’s requirement 4.2, your policy should:
- Identify Risks: Look for gaps in your invoicing process.
- Define Procedures: Explain how to verify invoices and address changes.
- Assign Responsibilities: Identify who is responsible for checking and approving payments.
- Monitor Compliance: Regularly update and review your policy to stay ahead of threats.
"Implement a policy with procedures to manage invoice fraud."
Integrating this policy with broader SMB1001 standards, like MFA and cybersecurity training, creates a strong fraud defense.
Not sure how secure your business is? Click here to book in a free Threat Check. In 15 mins you can gain a sense of clarity on how secure your IT infrastructure is. Don’t leave it your IT company. They are busy fixing your printer and keeping your internet going.
