Altered invoice scams

Altered invoice scams can be tricky to spot as they're usually an invoice or request for payment that you were expecting. The invoice also looks like it's come from the business that it’s supposed to. The only visible differences are:

• The bank account number has been altered on the invoice.
• You may receive a follow up email from the business requesting to change their account number.

• If you're sending invoices:
  • Monitor incoming payments to ensure any discrepancies are picked up early.
  • Monitor email logins for any unusual activities.
  • Manage your online security including employee passwords. Use multi-factor authentication where possible.

• If you're paying invoices:
  • Check every invoice before paying.
    • Confirm the invoice is for goods or services that were requested by your business or household.
    • Check that the goods or services have been received.
    • Determine if the invoice is from new supplier or an existing supplier who has indicated that their payment details have changed. In both cases, check they payment details by calling the business phone number listed on the official website, not the number on the invoice.
    • If it's a recurring invoice, cross-check that the invoiced amount is roughly what you normally pay.
  • Use Confirmation of Payee when making payments online. This step in the online payment process asks you to to check that the account owner name matches the account number of the person or business you're paying. If it comes back as 'Not a match', we strongly encourage you to consider whether you know and trust the payee. If you continue with the payment, you could send money to the wrong place and it might not be recoverable.

• If you're sending invoices:
  • Communicate verbally if your business changes its bank account number.
  • Strengthen your email security with strong passwords and two factor authentication where possible.
  • Set up logging on your business’ email to track unusual log in attempts and pay particular attention to strange log in times.
• If you're paying invoices:
  • Limit the number of people in your business who are authorised to make purchases or pay invoices.
  • Check every invoice before making payment.
  • Establish a process for checking new payees as well as any existing suppliers when they change their payment details.
  • Have a list of suppliers you use and if you're a business, get new suppliers approved before using them. When you receive an invoice, check the supplier against this list to make sure the invoice is from an expected supplier.