Survey reveals threat of bogus invoices high among cyber risks to business

The Institute of Directors (IoD) surveyed 980 of its members in December and found that 72% said they had received bogus invoices.

The findings were contained in a new report on cyber security it has published. That report said that one in eight IoD members "experienced damage due to a cyber attack that interrupted business" last year and that 11% of those that fell victim to cyber crime experienced a financial loss.

"This shows the extent of social engineering and how the internet can be used to defraud businesses," the IoD said, "Along with false house purchase completion requests for solicitors this is truly alarming. This is why human interaction with technology needs to be failsafe and why cyber is becoming a largely human problem."

Civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said that the level of bogus invoices being sent to businesses and their potential to cause financial loss was worrying. He said, though, that the IoD's report did not clarify the extent to which the bogus invoices resulted in financial losses or indeed whether those who did suffer financial loss took action to recover their losses.

Sheeley said it is important for businesses to have "proper systems and controls in place to prevent bogus invoices being acted upon".

"Some practical measures to deal with bogus invoices are to implement guidelines whereby any change to a supplier’s bank account details must be provided on the supplier’s letter headed paper, detailing the change from the previous bank account to the new bank account, and signed by a member of the supplier’s finance team," Sheeley said. "That finance team member should be an individual who has previously liaised with the business and ideally be a senior individual."

"In addition, once this document is received, the business should verify the information by calling the designated person in the supplier’s finance team to verify whether there have been any recent correspondence to the business and if so, what the content of that correspondence is. The change in details to the bank information should be verified over the phone before being actioned. Whilst this may seem like an arduous process for some businesses, a change in bank details should not be acted upon without careful consideration. This should become commonplace amongst all businesses to reduce the chances of falling victim to cyber crime and fraud," he said.

Sheeley said that there are also steps businesses can take to recover losses suffered if they do fall victim to fraud or cyber crime.

"For example, in respect of a bogus invoice which results in a payment to a fraudster’s bank account, civil fraud and asset recovery solicitors can obtain Norwich Pharmacal Orders against the recipient bank to identify details relating to the fraudster’s account and also obtain freezing orders to prevent the dissipation of those funds from that account," Sheeley said. "The response time of a civil fraud and asset recovery solicitor is likely to be much quicker than the police and therefore ultimately increase the chances of a successful recovery of funds for the business."

According to the IoD's report, just 28% of cyber attacks are reported to the police.

Sheeley said: "Until the authorities improve their ability to react quickly to a fraud and recover victims’ losses, businesses have an obligation to their shareholders and stakeholders to take immediate action to recover their losses. Businesses must be prepared to prevent, detect and respond to a crisis, whether emanating from cyber crime or fraud generally."

According to the IoD's report, 57% of the members it surveyed said their business had a formal cyber or information security strategy, and 49% said they provided cyber awareness training for staff.

However, nearly half of respondents (43%) said they "didn’t know where the data was physically stored". The IoD said this was "a truly frightening statistic".

"It effectively means businesses are losing control of their organisation’s data which may well be the biggest asset of a business," the IoD said.

Separately, a report by the International Organisation of Securities Commissions (IOSCO) identified the growing cyber risk in the securities market.

"Focus on the impact of cyber attacks in securities markets is expected to accelerate as these things occur: the role of technology in the provision of financial services deepens; interdependency and interconnectedness of the financial system grow; and the range of motivations behind cyber attacks widens," IOSCO's Securities Markets Risk Outlook 2016 said.

One section of IOSCO's report identified the particular risks that arise when cyber attacks target important payment systems.

"Payment systems are becoming less bank-centric and more diverse, increasing the entry points for those looking to steal, divert, or disrupt payments," IOSCO said. "Continued threats to payment systems may erode user confidence, increasing transaction costs and, hence, efficiency of the system. In an extreme case, this could crystallise in settlement failures affecting the ability of financial institutions to make payments to other parties, including their customers. Such failures, if sufficiently large, could cause liquidity shortages and significantly disrupt the financial system."