Choose language

How to protect yourself against fake PDF invoices?

Alarm reports about online scams are piling up. The methods of deception are becoming ever more cunning. The criminals' new favorite method is to email fake PDF files that are deceptively similar to genuine invoices.
But how do you see through the scam attempts?
Tommie Holmertz of the company Inyett, which specializes in security for supplier payments, gives several good tips on how to protect yourself against elusive fraudsters in the mailbox.

tommie-holmertz-scaled

 

Security analysts around the world have noted that attacks via PDF files have increased dramatically in recent years. Phishing methods vary, but most often the recipient is tricked into clicking on images or buttons in the fake PDF document, leading to a chain of uncontrollable redirects.
One unsuspecting keystroke - and the mistake can be made.

Sneaky scams

Tommie Holmertz (pictured) is the marketing manager at Inyett, which offers the Inyett Detect service. It is a tool that checks every supplier payment to minimize the risk of fraud. The service can be linked to all invoicing sent through InExchange.
Because Tommie and his colleagues work daily with security issues, they know most of the dangers associated with transactions.
"We don't stick to the term phishing, but we often communicate about CEO fraud, which in my opinion is a similar concept," he explains, defining the terms in a little more detail:
"Phishing is essentially about fishing for sensitive and secret information under a false identity. CEO fraud is when someone pretends to be a manager or CEO in order to push through a payment.
The approaches are thus closely related to each other. The measures Tommie suggests to avoid being swindled are therefore valid in both contexts.
Here are some good tips to take note of:

 

See if the PDF invoice is coming a different way than normal

- If the supplier sends an e-invoice, it is a bit cryptic that you suddenly want to pay via a PDF. Therefore, there is reason to be suspicious. This also applies when the CEO has sent an email warning about the PDF invoice in advance. This is exactly how a CEO fraud can happen. It starts with the CFO receiving an email from the CEO's hijacked email address saying something like: "I am sending over a PDF invoice to you. It usually comes as an e-invoice, but now the supplier is having problems with this. We need to pay via PDF instead". Then, when the fake PDF invoice appears, you think everything is fine because the "CEO" said so. You miss the fact that the account number on the invoice is different than normal.

 
Keep track of non-conforming account numbers
 

- If you have always paid the supplier to a certain account number, and then the same recipient suddenly wants to receive the money on another number, it can be a warning sign. At least if you have not received any notification that the change will take place. The supplier may have used a factoring company at the time. In that case, it will be a different account because the payment goes to the factoring company, which is not wrong of course. The recommendation is still to always ensure that it is the right account.

 

Require suppliers to have a plus or bankgiro

- Plusgiron and bankgiron have the advantage that you can check who is linked to the account. This is not possible with bank accounts. This means that there is a risk of sending the money out in vain. For companies that employ many individual entrepreneurs, which is common in various industries, this can be a problem. They end up paying out from lots of bank accounts without having much control over their suppliers. A good piece of advice is therefore to inform your suppliers that you want them to have a plus or bank giro. It is actually something you can write into your supplier policy.

 

Have a single dedicated recipient address

- A good tip is that in your business relationships you have the principle that suppliers send their invoices to a specific specified invoice address, that you only have one way in for incoming invoices. If the invoices fall into different places, control is easily impaired. On the one hand, the recipient thinks, "Oh, I remember that purchase we made", and may not pay attention to the account number. On the other hand, the attention of the financial manager is reduced because the reasoning is that "my colleague has already seen this invoice, I'll just ask for a certificate". In other words, it's not a good idea to receive invoices across the organization. A clear invoice recipient address, to which everything goes, is a good security recipe.

 

Wash and check the supplier register regularly

- I think it is a reasonable recommendation to clean and check your customer and supplier records at least once a year. This means ensuring that addresses are correct, names are correct, account numbers are correct and so on. As well as servicing the car at regular intervals, it should also be a matter of course to inspect the customer and supplier register. It's an important job. Yet many companies do not do this.

Related blog posts