Invoice fraud is a malicious, shape-shifting menace that cost organisations a staggering £9 million in damages in the first six months of 2018 alone.
What makes invoice fraud a particularly challenging threat is the fact that it comes in a variety of shapes and sizes, making it very difficult to spot and even harder to prevent. One of those most problematic forms is “passing off” fraud – making a misrepresentation by use of distinguishing sign or mark.
The Intellectual Property Office (IPO) was recently hit with this exact type of invoice fraud when an organisation that called itself the “Intellectual Property Agency Limited” (IPAL) was incorporated.
As a legitimate government agency, IPO is responsible for intellectual property rights in the UK. IPAL deliberately exploited the business they served however by creating a similarly named organisation and representing themselves using a logo that was much the same to “pass off” their identity as IPO. They then sent out unsolicited invoices to holders of patents and trademarks offering to renew their intellectual property rights. The invoices were designed to look like legitimate reminders from the IPO, and so since customers thought they came from an official source, they believed they had to use (and pay) for the services offered. Thankfully IPAL at least legitimately renewed the relevant marks with the IPO, but of course the fees they charged for the “renewal” were significantly higher, sometimes by as much as five times.
In total, 946 patents or trademarks were renewed by IPAL. This included 114 instances where companies had, in addition to paying IPAL, paid a renewal invoice direct to the IPO.
Despite the fact that as invoice fraud goes, passing off fraud is very difficult to prevent, there are still a number of valuable lessons that can be learned from this case. Had a handful of actions been taken in the three biggest areas of fraud protection – people, process and technology – this situation could have been identified and stopped much earlier.
- It is relatively easy to cause confusion between a genuine company or internet domain and a fake one, and this extends to email addresses where email@example.com could be mistaken for firstname.lastname@example.org. There is little to no software that could sensibly manage the risk of subtle changes to email addresses used as part of a scam to defraud an individual or company. Staff need to be aware to check email addresses for anomalies.
- The fraud exploited a lack of awareness of the correct procedure for renewing trademarks and patents. This is not surprising as the renewal takes place every 10 years and staff are unlikely to be familiar with suppliers.
- Insufficient due diligence meant that it was possible to onboard a new supplier into the Accounts Payable system with a near identical name to an existing supplier.
- A lack of robust supplier diligence applied to checking renewal fees for accuracy. Obtaining comparable supplier quotes would highlight the uncompetitive nature of the IPAL reminders.
- There was a widespread process failure that allowed 114 organisations to duplicate payments for the same service. It is possible that different individuals within each organisation were responsible for making or authorising these payments. Companies need to consider their payment authorisation processes to ensure that senior management have visibility of all payments, without sacrificing appropriate segregation of duty controls.
- Reconciliation of invoices against purchase orders could immediately identify that these were unsolicited reminders with an incorrect counterparty to the real renewal transaction.
There’s no question that the statistics surrounding payment fraud are getting worse with each passing day. Threats such as payroll and payment diversion fraud are making it increasingly difficult to secure payments across the digital enterprise, and invoice is just another part of the challenge. Whilst passing off is very hard to prevent, stronger reconciliation processes combined with more robust diligence provide organisations with comprehensive controls that can help to reduce the risk of losses occurring as a result of this type of scam.