Invoice scams targeting businesses are rising sharply around the world for one simple unfortunate reason - they often work. And it's no surprise that property companies and commercial tenants are quickly becoming prime targets. Commercial property-related invoices such as rent will typically have a high value and a predictable payment schedule making them very attractive to scammers.
We've recently noticed an uptick in reports from our customers of them or their tenants being impacted by invoice-based fraud and other payment scams and asking us for advice. So, let's take a quick dive into what these scams look like, how they work, and how you can protect your business as well as your tenants from them.
Types of scams
There are a few variances of this scam, but the common goal is that a tenant is tricked via e-mail into paying rent or other payments to the scammers instead of the property company. This is achieved by compromising e-mail accounts via common credential harvesting attacks such as phishing and then impersonating the Property company. The two primary methods we are hearing about are:
Scammers gain access to a property manager's email account
They’ll silently monitor the emails for a number of weeks to see when large payments are due. The scammer then sends an email from the property manager's email address asking the tenant to pay into a different bank account.
Scammers gain access to a tenant's email account
The scammer will then intercept an incoming invoice, remove it from the tenant's inbox, and change the bank account details on the invoice to the scammer’s bank account. They then re-send the altered invoice with the new bank account details to the customer.
In both cases, this is usually an invoice or payment the tenant was expecting (such as rent), and it appears to come from the property manager that it’s supposed to. The only visible difference is the bank account number on the invoice.
Some scammers are covering their tracks by setting up auto-forwarding rules on the compromised email account. If a tenant replies to the email questioning the bank account change, the scammer can reply to them directly without the property manager knowing.
Scammers are also setting up filtering rules to delete all their sent mail so their messages can’t be discovered.
What to look for
The following steps will help you check if you’ve had unusual behaviour on your email account:
Check auto-forwarding rules on email accounts, especially accounts relating to accounts receivable. Check to see if there are any forwarding rules to accounts you are not familiar with.
Check auto-filtering rules on email accounts. Check to see if there are any rules that you did not set up.
Look at your email access logs to look for any unusual login behaviour – particularly odd login times and unexpected or foreign IP addresses.
How to avoid being scammed
Prevent e-mail compromise by practicing good security hygiene:
- Use two-factor authentication on your e-mail accounts.
- Make sure all email passwords in your business are strong and not used anywhere else.
- Encourage staff to use a password manager.
- Ensure all staff complete basic security awareness training covering topics such as phishing, two-factor authentication, and password management.
Improve your invoice payment processes:
- If a business tells you they have a new bank account number, always double-check it with the business over the phone or text.
- Look on the business's website for their phone number, in case the scammers have changed the phone number on the e-mail/invoice as well.
- As a general practice, implement processes for managing payments over a certain amount. For example, the process could involve needing two people in your business to review the invoice, and to confirm the details over the phone with the business.
- For Re-Leased customers, consider adopting Re-Leased Pay for securely accepting tenant payments. This ensures the payment is made to your correct bank account only.
What to do if you think you/your tenant is being scammed
When you’re expecting a payment or have made a payment and it hasn’t been received, it’s possible you’ve been affected by this scam.
If you’ve made the payment:
- Call the business and check it hasn’t been received, and that you have the correct bank account details.
- If the bank account details don’t match, immediately call your bank and see if you can get the payment stopped. In some instances, it’s possible to recover the money if it’s caught early enough.
- Report the incident to your IT department and consider engaging an IT security specialist so that they can begin an investigation of any potential breach of your e-mail systems.
If you're expecting the payment:
- Call the tenant making the payment and check the bank details they sent the money to.
- If the bank account details don’t match, advise the tenant to immediately contact their bank and see if they can get the payment stopped.
- Advise the tenant they should report the incident to their IT department and consider engaging an IT security specialist company so that they can begin an investigation of a potential breach of their e-mail systems.