Fraudulent invoices/change of account number

Be careful when communicating with suppliers by email.

An email that may at first appear to have been sent by a supplier may in fact be fraudulent and trick you into making a payment to a fraudulent account or into changing the supplier’s account details in your records, resulting in a subsequent payment being made to that fraudulent account..

This is how the scenario typically unfolds: The person responsible for paying invoices (the fraudster has found this information online) receives an email that appears to have been sent by a supplier known to them. The email states that the account number for invoice payments has changed. In some cases, an invoice with the company’s logo, sometimes even including the company’s stamp, is also sent. The accountant or accounts payable clerk notes the change and begins making payments to the new account, believing it to be correct. Alternatively, the accountant or accounts payable clerk simply receives an invoice requesting payment directly and, believing the email with the invoice was sent by the supplier, pays the attached invoice.

Unfortunately, companies do not find out that payments have been made to a fraudulent account until the real supplier begins sending payment reminders (it may be two months before the first reminder is sent and several payments may have already been made by then).

Our recommendations:

  • Click on ‘sender’ in the email – instead of the name, the true e-mail address will appear. Check this email address against the contact details you have for that person. 
  • Search for the account number quoted using your internet browser. Most companies publish their account numbers on their website. 
  • Call the supplier’s representative and verify that they are in fact changing their account number. Do not call the number in the email. Call a number you have used in the past to contact the supplier (e.g., a number listed in a previous email which you know is authentic) 
  • Alternatively, agree with your suppliers and customers that any invoices sent will be protected by a password and that this password will be sent by a separate channel (eg. via SMS, hangout, etc…) or mutually agree to that password upfront in your contract for the goods/services. 
  • Visit the relevant company’s website. Most sizeable companies publish their account number or any changes to it there.

In the event that you fall victim to this type of fraud:

  • Forward the email to phishing@csas.cz.
  • Contact your banker and request cancellation of the transaction. 
  • File a complaint with the Czech Police.

Useful links