PhotoThe invoice scam, or bill scam, is a classic form of fraud wherein a scammer sends out fake but real-looking bills or invoices in hopes that the victim will pay the fraudulent bill in addition to various real ones. Such scams usually target businesses or organizations, rather than ordinary individuals – though individuals should still be careful, since “usually” is not synonymous with “always.”

The United States Postal Service estimates that American businesses lose millions if not billions of dollars to invoice scams every year, though of course the scam's very nature makes it hard to accurately measure its total costs, because so many of its victims don't realize they're losing money.

Every day scammers attempt to commit fake-invoice fraud against somebody – indeed, just this week, a church secretary in Texas got her third come-on attempt from would-be scammers who kept faxing fake “social media bills” to her church's financial office – but last week, authorities in both the United States and Australia warned people about an updated form of the invoice scam in which criminals use genuine invoices to cheat victims out of their money.

Church scam

On Monday, KSAT, San Antonio, warned viewers about what it called a “'recycled' church scam” attempt against Zion Lutheran Church, in the town of Kerrville.

Since last September, Zion Lutheran received three bills from “American Yellow Group,” demanding the church pay $496.95 for “Facebook and Twitter features.”

Of course, Facebook and Twitter accounts can both be had for free. Granted, some businesses or houses of worship will hire someone to manage their social media accounts for them — but Zion Lutheran Church in Kerrville never did.

Zion Lutheran's fake invoice came from a company in Bulgaria – which, from the perspective of a church bill-payer in southern Texas, is a pretty reliable indicator that no, this is not a company from whom you've actually bought anything. Service invoices that allegedly come from Bulgaria or other overseas locations can pretty reliably be ignored in such contexts.

Yellow Pages

Not that churches are the only small organizations, non-profit or otherwise, which need to be wary of invoice scams. In Nov. 2012, for example, the Federal Trade Commission went after a Canadian scammer who targeted Americans in what the FTC called a “Yellow Pages scam” – basically in invoice scam in which the fake bills allegedly were for the service of providing a listing in the Yellow Pages.

The FTC shut that one down, but there are plenty more Yellow Pages scammers operating out there. Just this week, in Montana, the Better Business Bureau issued a scam alert after a local business owner reported getting a fake “Collection Warning” demanding money for a Yellow Pages listing. (Perhaps coincidentally, that fake bill also came from a company in Bulgaria.)

Although fake-invoice scams happen all the time, they're still pretty easy to avoid, provided you follow the obvious advice “Do not pay a bill or invoice until you confirm that you (or your organization) actually received the service or item you're charged for.” But the new version of invoice scam is trickier to avoid because the invoices are real, but the payment information is fake. (And many of those genuine invoices actually do come from overseas, too.)

Sophos' Naked Security blog this week explained how one form of this real-invoice scam works:

I email you and tell you that I work for X, one of your suppliers.

X just switched banks, so you should update your database so that future payments no longer go to account Y at bank Z.

Instead, you need to pay them into account P at bank Q.

Then I sit back and wait for the money to roll in.

Heck, I don't even need to bother with fake invoices, because I just wait for X to send you real invoices and for someone else in your accounts department to approve payment...

...straight into my account.

Email compromise

That's not a hypothetical possibility, either. On Jan. 22, the U.S. Internet Crime Complaint Center (IC3) put out an alert about this scam, which it calls the “Business E-mail Compromise.”

How bad is it? From Oct. 1, 2013 to Dec. 1 2014, the IC3 says it received BEC complaints from every U.S. state and 45 countries, a total of 1,198 American victims who lost a combined : $179,755,367.08 U.S. dollars, and 928 non-American victims who lost a combined equivalent of $35,217,136.22 in non-U.S. currencies.

The IC3's report discussed the different variations of the BEC scam: in addition to the fake-bank version described earlier, there are also variations wherein the scammers manage to hack into the email of a company employee or executive, and use that email account to request and divert legitimate invoice payments. In most such cases, the employee never even realized their email was hacked until much later, sometimes not until after the legitimate vendor reaches out to ask about the status of their payments.

In Australia, the ScamWatch team – basically the Australian equivalent to the IC3 – issued a similar alert this week, warning Australian businesses not to fall for what it calls the “Invoice email scam.”

In all such cases, whether the scammers are targeting Americans or Aussies, they tend to be in different countries (usually on different continents) than their intended victims – which, of course, is yet another reason why it's so difficult, if not impossible, to actually catch and prosecute such thieves. All anyone can do is try to avoid falling for the scam in the first place.

Share your Comments