The U.S. Postal Service reports that every year businesses pay out millions, and potentially billions, of dollars to phony invoice schemes. The variety of these scams is broad, ranging from fake yellow Pages to bogus domain name registries, from unwanted office supplies to seemingly well-intentioned charities. Scams may go on for months, or even years, before victims discover the problem.
Since February of 2012, PhonyInvoices.com founder Barnett Helzberg and a few key employees have been researching this problem, and have uncovered five major misconceptions about the rapidly growing field of fake invoice fraud.
Myth No. 1: It's small-time. It's true, the actual dollar amount per invoice scam may appear "small time," sometimes no more than $150 a year. But take a step back and see just how many of these invoice scams actually get sent out. Scammers will literally blanket an entire region. They are indiscriminate as to who they mail, fax and e-mail their solicitations to. The postage alone would cost a small fortune.
It doesn't end with just scam invoices going out. Once the invoices land in Accounts Payable, scam companies are set up to follow up on them. Call the listed numbers and you'll get a fully staffed call center. Don't pay their bill, and in few weeks you'll get a call from their dedicated collections department.
Operations like this are anything but "small time." In 2010, three Florida men were implicated in a business directory scam. Federal court records show that their fake company deposited $425 million into a Bank of America account over the course of four years. These are not small timers.
Myth No. 2: They're only hitting small, unsophisticated businesses. It is true that small businesses are prime targets for this type of generic invoice fraud. In addition to their mostly unsophisticated accounting controls, small-business employees are usually overworked, wearing multiple hats and sharing various responsibilities. Business is always a blur, and who has time to scrutinize each invoice that comes in?
But it's not just small businesses that are at risk. Granted, midsized to enterprise-level companies often have more robust accounting controls. But that same overworked blur of a work environment that we see in a small business can also exist in a midsized to enterprise company. But now you've got even more complexities: multiple locations, international locations, multiple managers and departments with payment approval authority, rapid growth or aggressive cost cutting. These enterprise companies may not be as "fool-proof" as you would imagine.
This was what publishing giant Conde Nast found out, losing $8 million in just two months. One e-mail is all it took. Quad Graph, a bogus business entity that sounded suspiciously similar to Quad/Graphics, a real Conde print vendor, sent an e-mail outlining how Conde Nast should send future payments to the new Quad Graph account. Payments went out over ACH. Two months and $8 million later, the real Quad/Graphics calls, asking about their missing payments.
Myth No. 3: They are easy to spot. That's partially true. Some of these scams are pretty obvious and easy to spot. An online directory with no visitors and horrible navigation? An international patent administrator with a billing address in the Czech Republic? A Paypal account password notification with an e-mail address from Hotmail.com?
But what about domain registrations with your domain and service date listed on the invoice? What about the patent fees that came just two weeks after your company filed for a new patent? What about the charity payment requests, all from seemingly local organizations? What about labor law postings sent out by very governmental-looking agencies? They look like real bills; they have account numbers, service dates, payment dates -- sometimes they are even addressed to the right person in Accounts Payable.
Fraudsters also have the benefit of exploiting real-world market analysis. They basically get to test out their scams in the real world, seeing what sticks and what makes money. In the last few years, these vendor scams have also increased in sophistication and social engineering.
Myth No. 4: Law enforcement is taking care of this. We do see law enforcement crack down every so often. But here is the complication: Invoice fraud is not always illegal.
Look at one of the fake business directory, trademark, or domain name registrations the next time your company gets one. Look closely. Look at the very fine print ... and you will often see that there is a disclaimer: "This is not an invoice. This is a solicitation. If you sign here, you are entering a binding agreement to pay for this service." It's all there!
Furthermore, many of these companies actually deliver a product! Did you pay $500 to be listed in the U.S. Directory of Companies? Well, after you pay, you will actually be added to the U.S. Directory of Companies. Who really sees this directory? No one, really. Who gets this publication? No one, really. Is this on the Internet, made available to the millions of people on the Web? Yes - but no one knows it's there. But once again, the letter of the law was fulfilled.
Myth No. 5: Someone must be taking care of this. When it comes to the invoice payment scams that we have identified, there is very little being done. There is a mishmash of articles and reports given by different scam watch organizations, state attorneys general, the Federal Bureau of Investigation, or the Better Business Bureau. But we found nothing comprehensive, coordinated, or focused on these untold missing billions. Just as these individual payments slip through the cracks of a company's accounts payable, this problem as a whole seems to have slipped through the cracks of legal and corporate attention. Companies rely on their accountants and auditors to find fraud and other suspicious activities. Banks and credit card companies used to shoulder 100 percent of anti-fraud techniques. This is no longer the case. Along with law enforcement, accountants, auditors and banks have gone the way of focusing on internal fraud and identity theft. There is an increasing demand for private companies to look into adopting their own measures.
"Businesses must get over their embarrassment and denial about this risk," said Helzberg. "It happens to even the most careful businesses, and it is not going away."
Jonathan Lee, MBA, oversees sales and business development opportunities at phonyinvoices.com in Kansas City, mo., which provides solutions for detecting and preventing invoice fraud.
