According to ScamWatch, from January to September of 2022, False Billing Scams were the 2nd most commonly reported scam type in Australia and cost citizens almost $16 million.
There are a number of different scam types that fall under the umbrella of ‘false billing’, although the most damaging and costly are typically those that involve business email compromise (BEC). This is commonly the case for payment redirection scams, where a hacker will compromise an email account of one of your regular suppliers, or simply use their name and branding, and then send a message saying that they’ve updated their banking details and ask that you update them in your system for all future payments. These scams are often not picked up until the real supplier questions why they haven’t been paid.
Alternatively, the fraudster may send through a fake invoice which needs to be settled by the accounts department urgently. In some circumstances, these invoices are loaded with malware in an attempt to infect your device.
Invoice scams are especially common within the construction industry, partially due to the frequency of transactions between suppliers and builder. Last year, Xero conducted a study which revealed that almost one in five Australian small businesses had been a victim of invoice fraud. For small businesses with between five and 19 employees, the average cost of the fraud was $25,370 – a sum that many can’t afford to lose.
However, invoice fraud is a point of concern for all businesses, big or small. In 2019, Google and Facebook were both victims of invoice fraud to the same scammer, costing them $23 million and $100 million respectively.
Other cons that fall into the category of false billing, as defined by ScamWatch, include:
- Domain renewal scams
Where you’re either sent an invoice for payment of a domain name that’s almost identical to the one used by your business (e.g. .au instead of .com), or you’re sent a letter that looks like a renewal notice for your real domain, but it’s not from the company you originally registered it with.
- Fake directories and advertising scams
You may be contacted to say you’re receiving free entry into a directory, but in reality, the form you fill out is actually an invoice or contract in disguise, with the amount owed hidden. Alternatively, you could be contacted by a scammer who claims your business’s advertising has already been booked/run and is now demanding payment.
- Office supply scams
Scammers may pose as your supplier, or as new ones, and either persuade you to order overpriced and poor-quality goods or claim that you have been sent goods which you have not paid for. Sometimes they will send follow-up invoices, claiming that you agreed to an ongoing contract.
With these scams continuing to affect so many Australians year on year, ScamWatch has advised of the following warning signs:
- You receive an invoice or phone call from a business directory or other publication you’ve never heard of, ‘confirming’ your entry or advertisement. You recognise the listing as on you put in a different publication.
- The caller claims that the government requires you to be listed in their register
- You receive a letter or an invoice requesting payment for a domain registration or renewal. The renewal fee may be much higher than usual or be registered with a different company. The domain name may be very similar to your actual domain name with a different ending.
- You receive an invoice for goods or services you did not order or a call from somebody claiming to be your regular supplier, offering goods that you have ordered before.
In order to protect yourself and your business from false billing scams, you can take these steps:
- If you receive an email from a supplier claiming their banking details have changed, call the business to confirm this is true
- Limit the number of individuals in your business who are authorised to make orders or payments
- Check that goods or services were ordered and received before paying an invoice
- Make sure to get proof of a directory entry before paying, and do not pay for anything you did not authorise.
- Take note of your domain name registration provider, and ignore correspondence from all others
If you believe you have fallen victim to a false billing scam, learn where to report it here.
Keep Your Business Protected
Prevention is always better than a cure, and the best defence is for your businesses to proactively boost its cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for your business to fortify.
No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or Google Workspace, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365.
For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au .
