What is invoice redirection fraud?
Invoice redirection fraud is a type of cybercrime in which a fraudster intercepts and redirects legitimate invoices to a fraudulent bank account. This can be done by hacking into the email account of the sender or recipient of the invoice. Alternatively, it can be done by sending a spoofed email that appears to be from the sender.
This type of fraud is becoming increasingly sophisticated as technology improves. Fraudsters are now able to create emails that are virtually indistinguishable from legitimate emails, and they are also using a variety of techniques to avoid detection.
One common technique is to send a “follow-up” email shortly after the original invoice, stating that the sender’s bank account details have changed. These emails may appear to have been sent from a reputable address and typically will look like the legitimate address but, upon closer inspection, are different. This means that the legitimate sender will not receive any of the replies or be notified of the fraud. Emails may also contain a link to a fake website that looks like the website of the sender’s company.
Another technique is to use a legitimate email address that has been compromised. This can be done by hacking into the email account or by purchasing the email address from a dark web marketplace.
Implications for Businesses
Invoice redirection fraud can have a devastating impact on businesses of all sizes. If a business pays an invoice to a fraudulent bank account, it is unlikely to recover the funds. This can lead to financial losses, cash flow problems, and even bankruptcy.
In the 2013 case Factory Direct Fencing,[1] the plaintiff, Factory Direct Fencing Pty Ltd, was importing fencing products into Australia from the defendant, Kong AH International Company Limited, which was an exporter from Hong Kong.
The parties’ correspondence was largely through email. The plaintiff would order aluminium fencing products by email and the defendant would reply with its bank account details. The plaintiff would then send a deposit to the nominated bank account and the defendant would deliver the goods to be transported to Australia. The defendant would advise the carrier when the balance payment was received, and the carrier would then release the goods in Australia to the plaintiff.
At some point, a fraudster intervened in the email correspondence between the plaintiff and defendant. The fraudster impersonated the defendant and emailed the plaintiff requesting payment to the fraudster’s bank account. Upon the request of the fraudster, the plaintiff paid to the fraudster’s bank account 70% of the price, being the balance due on the goods.
Unaware of this development, the defendant remained unpaid. As such, when the goods arrived in Australia in the custody of the carrier the defendant refused to authorise the carrier to release the goods to the plaintiff. The plaintiff subsequently brought legal action against the defendant, seeking the release of the goods.
The Court held that the plaintiff was not entitled to immediate possession of the goods, and that the defendant was entitled to further payment. The Court also found that the defendant owed no duty of care to the plaintiff in tort or in contract to guard against misdirecting emails intended for the plaintiff.
The case of Factory Direct Fencing highlights the importance of businesses taking extra care when receiving invoices and making online payments. If a business receives a fraudulent email, the liability sits with the person who makes the fraudulent transaction, and the ones who did not pay the party correctly. It is the person who makes the payment who ultimately has liability, not the person whose email address has been compromised. Businesses should therefore always verify bank account details before making any payments, and they should use a secure payment method whenever possible.
How to Protect Yourself from Invoice Redirection Fraud
There are several steps that businesses can take to protect themselves from invoice redirection fraud. Some of these are outlined below:
- Verify the contact details that the email has come from. Click on the contact card to ensure that the email being responded to is that same one which first appears.
- Verify bank account details before making any payments. If you receive an invoice with new bank account details, contact the sender directly to verify them. This verification should be done over the phone. Do not rely on the information in the email.
- Use a secure payment method. When possible, use a secure payment method such as credit card or PayPal. This will give you some protection if the payment is fraudulent.
- Educate your employees about invoice redirection fraud. Make sure your employees know how to identify and report suspicious emails.
- Implement a two-factor authentication process for all email accounts. This will add an extra layer of security to your email accounts and make it more difficult for fraudsters to gain access to them.
- Use a spam filter and antivirus software. This will help to block phishing emails and other malware that could be used to steal your bank account details.
What to do next
If you would like to know more about the legal actions available to your business in the event of invoice redirection fraud, please do not hesitate to contact Daniel Morgan at daniel@morganenglish.com.au.
[1] Factory Direct Fencing Pty Ltd v Kong AH International Company Limited [2013] QDC 239 (‘Factory Direct Fencing’).