Bondgate IT is warning businesses and organisations in the North East to be on their guard after a recent spike in invoice fraud.
Cyber criminals hack into employees’ email systems and use their details to send bogus invoices to genuine customers, requesting payment be made to an account set up by the fraudsters.
Garry Brown, managing director of the Darlington-based IT specialist, said it has been alerted to dozens of businesses across the region falling victim to invoice fraud in recent weeks.
He said: “Cybercriminals are taking advantage of the pandemic since more people are working from home – without the usual checks and balances normally in place in the office environment. In addition, some of those working remotely may still be using equipment that doesn’t offer the same level of security as their office equipment.”
Examples of invoice fraud reported in recent weeks involves fake payment demands being sent from a company’s suppliers as well as businesses themselves being targeted by bogus bills.
In one instance, an accounts department received an email purporting to be from a member of staff asking that their wages be paid into a ‘new’ bank account.
Hackers also target the emails of chief executives, chief finance officers, or those authorised to make payments, knowing that emailed instructions to pay invoices or transfer money are less likely to be questioned.
Invoice fraud usually begins with a phishing email designed to steal an employee’s personal information, which is then used to access their account and harvest sensitive data.
Garry said: “Access to an email system provides a cybercriminal with a wealth of valuable information, such as contact lists, the dates of regular invoices and the sums involved – all the while hiding behind the identity of someone considered trustworthy.
“Invoice fraud is a national problem, but we have detected a sudden spate of incidents in the North East within the last few weeks and wanted to warn businesses to be on their guard.
“While there are always ways of improving IT security, one of the most effective methods lies in educating the user. If someone requests a change of bank details or asks for payment to a new account, it should be treated with extreme caution. Check all invoices carefully and verify all changes directly with the person involved by telephone, using the number on their website or one on file, to ensure the instruction is genuine.”