Using artificial intelligence (AI) to vet supplier invoices promises to stop business email compromise (BEC) attacks and fake invoice scams in their tracks, industry experts have advised as Australian small businesses reel from one successful payment redirection scam after another.
Such attacks – in which fraudsters amend invoices to include their own account details, or emulate legitimate suppliers or executives to send fraudulent invoices or payment instructions to victims – have become increasingly common in Australia, with the ASD Cyber Threat Report 2022-23 noting that more than 2,000 BEC attacks were reported to government cyber security incident portal ReportCyber during fiscal 2022-23 alone.
Those attacks incurred cumulative losses of over $80 million, with an average of $39,000 per victimised business.
That amount is only set to increase as cyber criminals tap generative AI (GenAI) tools to develop ever more convincing ways to pressure victims into paying up – and even use AI-based tools like a recently discovered ‘invoice swapper’ from cyber crime group GXC Team that automatically scans compromised email accounts for invoices, substitutes the scammer’s bank account details, then emails the doctored invoice to the victim.
Because many companies vet and pay supplier invoices manually, they are sitting ducks for well-equipped cyber criminals, warns Alexander Attard, head of sales and client relations at PNORS Technology Group – which has been integrating and tweaking AI capabilities designed to keep the company’s hosted Clearway accounts payable automation portal one step ahead of the scammers.
“If you’re an old school company where you’re validating invoices in-house using your own systems, the propensity to get scammed and hit by fraud is extremely high,” Attard told Information Age.
“You’d be surprised just how many companies out there are doing accounts payable through legacy systems; it’s all relying upon human nature.”
By automating the processing and payment of invoices, businesses can extract and cross-check details including account details, business names, addresses, and more – providing a broad range of data points that an AI engine can use to sniff out unexpected variances.
“AI,” Attard explained, augments conventional accounts payable automation because it “enables our databases to learn what are valid invoices against those that are not valid.”
The telltale signs vary from scam to scam – but in the case of one customer for whom PNORS was processing around 35,000 invoices per month, Attard said, scammers exposed themselves when they sent a fake invoice that was far higher than any others previously received from that supplier.
Alarm bells rang, and the fraud was detected – and it’s something that experts believe will become more common as businesses get smarter about the way they manage, vet, and pay their invoices.
Taking the fight to the fraudsters
Whether scamming companies of small amounts – or going for broke as they try to redirect car settlements, house deposits and other large payments – BEC scammers have racked up numbers so significant that the ACCC recently issued an advisory that Australians check payment details directly with a company before paying them.
Scammers “are becoming more targeted in how they exploit Australian consumers and businesses,” ACCC deputy chair Catriona Lowe said in warning that the scam “is hard to detect because the scammer will either hack into the email system of the business or impersonate the business’s email address by changing as little as one letter.”
As losses continue to grow – the FBI’s latest Internet Crime Report noted 21,489 BEC complaints with losses of more than $4.5 billion ($US2.9 billion) – vendors are adopting AI and a range of other technological measures to help would-be victims detect invoice scams before they bite.
Last year, for example, 17 Australian banks launched a Fraud Reporting Exchange designed to improve fraud detection and loss prevention, while the Australian Banking Association (ABA) has launched a Scam-Safe Accord to disrupt criminal scam activity.
“There has been a very significant uptick in the level of discussion around fraud and scams” amongst banking executives,” Jonathan Tanner, senior director and industry principal for financial services and insurance with Pegasystems, said, noting that new rapid payment services had helped scammers move fraudulent gains faster than ever.
For its part, the Commonwealth Bank of Australia began cross-checking the identity of payees with their account details – an approach that Tanner called “a really positive step forward.”
“There’s always a bit of consequence when you take the human out of the loop or you take time out of the loop,” he said, “but some of those automation solutions are pretty sophisticated.”
As Pegasystems joins the rush to integrate GenAI technologies into its fraud detection tools, Tanner said, banks will be able to more easily generate reports for regulators and customers – and to streamline fraud detection and reporting.
“That’s where the banks have got a pretty strong part to play, and I think they are really taking that very seriously at the moment,” Tanner said, noting that AI is driving the adoption of “more sophisticated tooling” that will improve the speed and accuracy of fraud detection.
And none too soon, he adds: “It’s a scary world we’re in at the moment.”