Skip to main content

Fighting the friction of fraud


The ongoing risk of invoice fraud affects virtually every company, so it’s helpful to be reminded every now and then, not just of the threat itself, but the potential consequences and the ease with which the crime can be committed.

For example, two recent instances of fraud in the news are exemplary for the brazenness of their execution and the large amounts stolen. In the first, a Dell employee, her husband and a third person stole more than $1 million from her employer by filing fraudulent invoices, according to court records. The couple used a business name to send invoices for computer–aided design services that were never rendered, or in some cases only partially rendered.

In retrospect, the act seemed destined to fail, yet the fact that invoices were processed, and checks issued and cleared, suggests that it had some chance of succeeding. Indeed, it may be a testament to Dell’s diligence and personnel that they were able to foil the plot at all.

We don’t know whether the invoices in question were submitted by mail as paper invoices, or via email as PDFs. What we do know is that neither format allows for any easy determination of veracity, which is why a case like this makes a strong case for true e-invoicing on a secure supplier network, where trust is ensured by enrollment on the network, and where invoice validation is guaranteed by the process.

The second story of fraud was more complicated because it depended on hacking as well as fraud. In this case, several art galleries in London and their clients made payments of up to £1 million to criminals who fraudulently claimed to be acting on behalf of the seller of an artwork that had been purchased. In this scheme, which was repeated multiple times, the perpetrators hacked into the email of a gallery and hijacked email conversations that followed a sale. The criminals then sent emails to buyers from the gallery’s email address, informed them that the previous invoices they received were in error, and instructed them to make payment to the hackers’ accounts instead.

The fraudsters also ran the scam in reverse, sending emails from artists’ accounts to their galleries, requesting payment for artworks to be made to fraudulent accounts rather than to the artists’ accounts.

One thing that might have prevented the fraud is greater scrutiny of the perpetrators by the banks where they opened fraudulent accounts; another is a higher level of awareness of the problem by the victims, and perhaps even legislation. For instance, the EU General Data Protection Regulations, which will be implemented in the UK this year, could result in significant fines for businesses that fail to protect client email addresses.

The case ought to give Buyers and Suppliers pause over their reliance on email. The artists and galleries who saw emails coming from trusted email accounts assumed they were secure, but the thieves leveraged this trust to exploit a particular weakness of PDF invoices—their susceptibility to email hacking. Buyers who believe that a PDF coming from a Supplier’s email must be valid, should realize that it could be as risky as a paper invoice coming through the mail.

Invoice fraud is on the rise, as technology brings with it new opportunities for fraudsters as well as for legitimate businesses. For instance, the payments manager for the London Borough of Bexley, a Tungsten Network customer since 2006, describes how government regulations require the borough’s supplier information to be posted on their website, providing transparency to citizens but also making the job of fraudsters seeking to impersonate suppliers easier. Without e-invoicing, it’s a dangerous scenario, but thanks to Tungsten Network, a benign one: with our suppliers submitting invoices through the platform, we know that every invoice received is 100% legitimate.

For businesses who are concerned about invoice fraud, it’s worth reading her account of the platform’s positive effects. In her words, these benefits go beyond reducing paper, because today P2P friction comes in many forms.


About the author

Alphus Hinds

As Manager of Cyber Risk, Security and Compliance, Alphus Hinds is tasked with ensuring that Tungsten Network continues to be ahead of the game when it comes to protecting data and systems from ever-evolving cyber threats. A seasoned risk practitioner in technology and security, Alphus was part of the security teams on the last three Olympic Games where he helped to secure their operational and technology environments, and was also Head of Security for the Glasgow 2014 Commonwealth Games.


Share this post


You may also like

comments powered by Disqus