Conventional wisdom would suggest that organizations’ AP teams take extreme care to ensure all invoices are valid before approving them for payment. In addition, one would expect that larger organizations with more sophisticated invoice approval processes would be less susceptible to invoice fraud than smaller teams that rely more on manual processes. However, that’s not always the case. In fact, larger organizations may sometimes be easier to target, given the high volume of invoices received, which can reduce the level of scrutiny on each invoice.
It was recently announced that a man in Lithuania defrauded Facebook and Google of a total of $122 million over a three-year period. Of course, this wasn’t just a case of sending out speculative invoices and waiting for a check to arrive in the mail. It was a complex scam involving a combination of research technical skills and social engineering capabilities. From NPR’s article:
“In an indictment unsealed by the U.S. Attorney for the Southern District of New York last week, the Department of Justice alleged that Evaldas Rimasauskas and other unnamed co-conspirators impersonated the Taiwan-based hardware manufacturer, Quanta Computer — with which both tech companies do business — by setting up a company in Latvia with the same name. Using myriad forged invoices, contracts, letters, corporate stamps, and general confusion created by the corporate doppelganger, they successfully bamboozled Google and Facebook into paying tens of millions of dollars in fraudulent bills from 2013 to 2015.”
While this was clearly a very sophisticated operation which required a major amount of both preparation and chutzpah from the perpetrator, there are still ways that organizations can protect themselves from this type of incident.
First, organizations need to establish clear processes and workflows for invoice approval, as well as educating AP team members on how they can be targeted for fraud. Staff need to receive security training to ensure that they have the ability to spot potential attempts at spear phishing and other email-based scams. This alone can be critical for preventing attempted invoice fraud.
However, this approach still relies on an element of human intuition, which is never infallible. By eliminating the reliance on a judgement call to determine if an invoice is valid, organizations can vastly reduce their potential exposure to fraud.
This is where an invoice automation solution becomes a critical tool in the fight against crime. Regardless of how authentic an invoice, contract, or letter may look, they can be forged, and emails purporting to come from trusted sources can be spoofed. However, an invoice management system is this single source of truth, and documents can only be uploaded into the system by authorized users.
Here is where the automation solution delivers the benefits. A fake invoice can be submitted to the AP department, and even uploaded to the system. However, where is the purchase order that proves it’s a valid invoice? A PO is issued either from third-party solution or a PO module within the invoice automation solution, and is then automatically matched with a corresponding invoice using sophisticated optical character recognition and data mapping technology. Any invoice which contains neither a valid PO number, nor has a relevant PO created within the system, will raise immediate red flags for potential fraud. This will then lead to further scrutiny from the AP team, such as a phone call to the internal requester listed on the invoice to find out where it is (or not).
Read more: Leverage AP Automation for the Perfect Match
For physical goods, such as the computer hardware described in the story above, there is yet another layer of protection. Using three-way matching, the invoice tool will not only match the invoice with the PO, but also with the receiving document which was delivered with the goods and uploaded into the system by the organization’s receiving department. As a result, any invoice which has neither a PO nor a receiving document with which it can match will be returned to the “vendor,” who will likely realize that they have been caught, and will move onto their next victim.
- Is Your Organization Taking Fraud Seriously Enough?
- What Makes People Commit Expense Fraud?
- HBR Research: How to Use Data to Protect Your Corporate Travel Culture
- Why Does Expense Automation Make Life So Easy?
- 10 Things to Look for on Your Expense Management Shortlist (And Why Chrome River Needs to Be on It)
Our choice of Chrome River EXPENSE was made in part due to the very user-friendly interface, easy configurability, and the clear commitment to impactful customer service – all aspects in which Chrome River was the clear winner. While Chrome River is not as large as some of the other vendors we considered, we found that to be a benefit and our due diligence showed that it could support us as well as any large players in the space, along with a personalized level of customer care.
We are excited to be able to enforce much more stringent compliance to our expense guidelines and significantly enhance our expense reporting and analytics. By automating these processes, we will be able to free up AP time formerly spent on manual administrative tasks, and enhance the role by being much more strategic.