Online security

12 July 2018

Invoicing fraud

Protect your business from invoicing fraud

Important information!

If fraud is detected although the transfer has already been made, immediately notify your ING contact to try to block the funds before they disappear. Bear in mind that after 12 hours it is practically impossible to recuperate stolen amounts.

What is it? What are the consequences?

Invoicing fraud is manifold. In all cases, the fraudsters will change the banking details of the company which issued the invoice to indicate their own and, as a result, receive the amounts invoiced.

What happens?
  • The criminals intercept the invoice between the time it is posted and its receipt, or by hacking the boxes for sending e-mail.
  • The fraudsters change the invoice to indicate their own banking details on it. They can do this in different ways: a new invoice is compiled with the new details, a sticker (often fluorescent) with the fraudsters' banking details and mentioning a change of bank is placed on the real banking details, etc. Then the invoice is sent again.
  • The invoice is received and paid to the new bank account number. It is highly likely that the following invoices will also be paid to the wrong account until the real issuer of the invoice realises that their invoices have not been paid and contact the debiting company.
Variants of such fraud

Invoicing fraud comes in several varieties. For instance, the debiting company receives an e-mail from what it thinks is its supplier, stating a change of bank and consequently of account number. This message will bear the suppliers' letterhead and seem legitimate. In such cases, no invoices are intercepted, but an ordinary message with the new banking details is sent. All pending invoices as well as subsequent invoice must be paid to the new account number.

Whatever the scenario, the aim of the criminals is to make a change to what we call the suppliers details (phone number, bank references, e-mail address) in order to steal money

How to protect yourself as the issuer of invoices?

To limit the risks of your invoices being intercepted, avoid sending them in an envelope with your logo or any name identifying your company.

It is recommended to send each invoice through two different channels. For instance by e-mail and by post. This way your debtor must be informed that it must only pay bills where both invoices are identical. By writing your banking details in red on the invoice, you can facilitate checking prior to payment.

How to protect yourself as the receiver of invoices?

It is very easy to protect against this type of fraud by calling back to confirm. Any change in your suppliers' details (address, phone number, e-mail address, account number, etc.) must result in a phone call to the usual number (and not to the number indicated on the invoice). This is how tentative fraud can be detected quickly.

Who to contact in case of doubt or fraud?

If you notice attempted fraud or if fraud has occurred in your businesses, immediately inform your ING contact or by e-mail (fraud@ing.be). By calling your bank quickly, you will increase the likelihood of recuperating the funds embezzled.

Other formalities with the authorities can also be required (filing a complaint with the police, etc.). Our specialists can also advise you on the steps to be taken.

How to use this document?

We recommend that you distribute this article in your company. Advise all directors to read it as well as anyone with power of attorney over the company's accounts. Fraudsters often target the latter.

Unfortunately total protection does not exist, as fraud is often linked to a human factor. Nonetheless if you communicate and apply the recommendations made in this leaflet in your business you can restrict the risks considerably. This leaflet is offered for purely information purposes by ING and has no contractual value. Consequently it may, under no circumstances, serve as a basis to hold ING liable in particular if, despite these recommendations, your company is a victim of any of the scams detailed in these pages.