Invoice fraud is a threat to everyone. It occurs when criminals target a legitimate payment by a customer to a business, and redirect that money to another bank account.
The scam will only come to light when it’s too late - either because your real supplier is chasing you for payment, or your customer is insisting that they’ve already paid you.
Invoice fraud is categorised as an ‘authorised push payment’ or APP scam. It’s called that because victims are tricked into making the transfers themselves. UK Finance, a trade association for the banking industry, says that invoice fraud losses hit £50.3m in 2023, up 2% year-on-year.
Scammers typically hack into your email account to intercept messages with customers and suppliers. This isn’t as difficult as you might think – your password may have been leaked online, for example, or they may have used phishing tactics to steal your login details.
Once they’re in, they can search for messages about invoices you regularly send or receive, making note of the way you write and any other details that could help them impersonate you.
Armed with this information, they can then send fake invoices to your customers or suppliers – either by doctoring an existing invoice, or creating a new one – using their own bank details.
Even without access to your emails, fraudsters may simply imitate your business name by falsifying the ‘sender name’ of an email, as you can see below. The real sender is shown in <brackets> here, and has nothing to do with Tesco Bank.
Which? has teamed up with Friends Against Scams to keep you and your customers safe.
We’ve created a factsheet full of tips, covering:
Contact your bank immediately and report to Action Fraud or Police Scotland (if you live in Scotland).
Secure any online accounts by changing the password. You should also warn all customers and suppliers who may have been sent fake invoices.
Individuals and small businesses – employing fewer than 10 people and with annual turnover of less than €2 million – may be protected under the Contingent Reimbursement Model (CRM) Code.
This voluntary code commits banks to reimburse victims of APP fraud, provided certain standards have been met. Which? has created a template letter that you can send to the bank if you’ve lost money to an APP scam.
Only ten of the largest current account providers have signed up to this code, but it will be replaced by a mandatory reimbursement scheme in October 2024, when over 1,500 firms using Faster Payments will split the cost of refunding customers who lose money to APP fraud.
If your bank isn’t signed up, you should still make a formal complaint, explaining what happened and that you are a victim of APP fraud. All banks must detect, prevent and respond to scams, under existing protections such as the Banking Protocol and anti-money laundering requirements.
Your bank should respond to complaints about fraud within 15 working days.
If you’re not happy with their response, or they fail to give you a final decision in time, take your complaint to the Financial Ombudsman Service (FOS).
Stay safe: sign up for Which? Scam Alerts.