London galleries targetedFraud on a big scale is not unique to America or big corporations. Last year, several art galleries in London fell foul to an elaborate scheme, involving hacking as well as fraud. In this case, the art galleries and associated clients made payments of up to £1 million to criminals who fraudulently claimed to be acting on behalf of the seller of an artwork that had been purchased. In the conspiracy, which was repeated multiple times, the perpetrators hacked into the email of a gallery and hijacked email conversations that followed a sale. The criminals then sent emails to buyers from the gallery’s email address, informing them that the previous invoices they received were in error, and instructed them to make payment to the hackers’ accounts instead. The fraudsters also ran the scam in reverse, sending emails from artists’ accounts to their galleries, requesting payment for artworks to be made to fraudulent accounts rather than to the artists’ accounts. One thing that might have helped would have been greater scrutiny by the banks when the fraudsters opened accounts; another is a higher level of awareness of the prevalence of fraud, and perhaps even legislation. For instance, GDPR could result in significant fines for businesses that fail to protect client email addresses and other personal identifiable information.
Don’t trust your emailsThis case will cause every business leader to reflect on their company’s reliance on email. The artists and galleries who saw emails coming from trusted email accounts assumed they were secure, but the thieves leveraged this trust to exploit a particular weakness of PDF invoices – their susceptibility to email hacking. Buyers who believe that a PDF coming from a supplier’s email must be valid should realise that it could be as risky as a paper invoice coming through the mail. But what is particularly notable about these cases is the brazenness of their execution and the large amounts stolen. Furthermore, both stories show the importance of having robust financial systems in place. Invoice fraud is on the rise, as technology brings with it new opportunities for fraudsters as well as for legitimate businesses. Tungsten Network’s own research backs this up – we found that UK SMEs are losing more than £9bn through invoice fraud every year. This amounts to £1,658 per SME. Of those affected, one in six believe the fraud has cost more than £5,000 and 54 per cent of business leaders view it as their single biggest threat. Businesses concerned about invoice fraud should consider moving over to electronic invoicing. The real strength of adopting a technical solution is that it shifts some of the responsibility for checking an invoice from your finance team to an automated-service provider. Either way, SMEs need to be vigilant. Criminals are becoming more sophisticated and creating elaborate ploys to steal precious revenue. Technology is also on hand to combat many of these schemes. Moving over to an e-invoicing platform is a strategic and forward-thinking move – it will help you reduce the potential for fraud and mistakes, streamline your payment process and free your team to think and work strategically. Alphus Hinds is head of cyber risk, security and compliance at Tungsten Network
Share this story