more-arw search

Five Ways CFOs Can Protect Themselves from Invoice Fraud

Use this advice to avoid the all too common traps businesses fall victim to.

Invoice fraud can strike an enterprise of any size. For example, a Lithuanian man named Evaldas Rimasauskas orchestrated an invoice fraud scheme that misappropriated more than $122 million from two Silicon Valley technology giants. The invoice fraud scheme led to Google and Facebook making false payments of $23 million and $99 million respectively. All payments were made out to a familiar vendor, or so they thought.

Entrepreneur Barbara Corcoran, who is a television personality on Shark Tank, lost $388,700 as a result of a fake email chain sent to her company. The fake invoice was supposedly sent to Barbara’s assistant and to her bookkeeper who approved the payment for a fake real estate renovation.

Sadly, not all fraud exposures are external. It stings even more when it happens internally. Just ask entrepreneur Mark Cuban, who fell victim to fraud with his first company when his only accounts payable employee managed the entire P2P process and eventually wrote a check to herself for $82,000.

These five simple ways help enterprises protect themselves against invoice fraud.

1.  Have one source of vendor truth. This is a simple, yet important point. The master vendor file (MVF) should be your only source of information for processing payments and not the invoice itself. Educate your employees that payment information and instructions must be followed by what is in the MVF and not what is on the invoice.

If the invoice shows different information, inform the person in charge of the MVF and let them confirm the changes with their verified contact at the vendor. Once confirmed and updated in the MVF then payment can be approved and completed.

What’s more, companies should ensure the vendor on-boarding and management process is managed by people not involved in any other purchasing activities. This will prevent any payments from being sent to a fake vendor or fraudulent address.

2. Segregation of duties. The practice of segregation of duties is in all likelihood the most important building block and foremost internal control to risk management that a business can put in place. This construct will prevent both external fraud and internal fraud because there are multiple internal parties involved. Which in turn, requires additional participants to collude in order for a fraudulent act.

When it comes to your internal processes, these requests for vendor information and payment details should be sent by anyone not involved with purchasing activities. This alone would have spared Mark Cuban a hard lesson learned.

3. Verify the purchase with the purchaser. For accounts payable to ensure the validity of the invoice, they need to communicate directly with the purchaser to confirm the details of the purchase, including terms, are legitimate. For example, had Barabara Corcoron been asked if this the real estate purchase was valid, or even saw a copy of the invoice, her team wouldn't have paid a fraudulent invoice for $388,700.

4. Verify products or services were received. To take the verification one step further, it's not enough to just check whether the order was valid. You must also check if the order was received. Again, it comes down to communication. This step can be verified with the receiving party to confirm everything was fulfilled as expected.

Without the added verification, organizations create a risk of paying for something which they might have ordered but never received. 

5. Awareness of fraud possibilities. The world of invoice and payment fraud is ever evolving. Continual education of your team on the latest fraud techniques is the greatest defense. Educate your team on how to identify scams because the scammers are educating themselves on your team and your company. Today’s Business Email Compromise and social phishing efforts are getting more sophisticated. They are often highly personalized from a figure of authority with a reasonable urgent request. An extensive amount of research goes into planning these fraudulent activities because the payoff can be so lucrative as we saw with Google and Facebook.

Invest in training and rewarding your employees for identifying and preventing these fraudulent efforts. It’s not a one and done event, you must do these training sessions regularly and remain current with the latest fraud attempts that have taken place in the market. Constantly review if your internal controls would have prevented these fraud attempts to gain insight into your areas of exposure.

Your team needs to know how to recognize external attempts such as fake invoices, report internal fraud risk exposures, and identify vulnerabilities in your processes. With the added awareness at both the organizational and staff levels, these efforts will help deter fraud from taking place in your organization.