Fake invoices turn nightmare for Indian firms

Varun Aggarwal Mumbai | Updated on January 22, 2018 Published on December 07, 2015

Hackers mostly target firms that make international transactions throughinternational banks, thus delaying investigations SERPEBLU/SHUTTERSTOCK.COM

Without means for due diligence, entrepreneurs have made payments up to $200,000 to hackers

In September, an executive at Saudi Aramco, one of the largest oil companies in the world, received an invoice of ₹197 crore from India’s ONGC.

The invoice was exactly like the regular invoices Aramco had previously received from ONGC, but this one came from a fake email id, which was enough to dupe Aramco and have the payment transferred to the hacker’s account.

It was only a fortnight later when ONGC asked Amarmco for the payment that it got to know the payment was made to someone else, who claimed to be from ONGC. While this was one of the first cases of its kind the Mumbai police had seen, it is definitely not the only one.

According to experts, hundreds of Indian companies are falling prey to such attacks and are losing anywhere from a few thousand rupees, up to a few crores, in what seems to them like a genuine payment transaction.

Increasing threat

“This is an alarming phase, since we see such cases crop up every day – this is a very realistic and evident cyber-crime challenge that India is facing,” said Amit Jaju, Executive Director, fraud investigation & dispute services, EY.

“We have seen payments in the range of $100,000 to $200,000 being made to hackers. We have witnessed instances where genuine invoices were tampered with and injected into an email chain,” he said. One of the biggest reasons for the rise in such attacks is how simple it is to execute, and the fact that more and more enterprises are moving towards digital payments without proper checks in place.

“Enterprises need to have a three-way match between the purchase order, Invoice and material receipt, before issuing any payment, to avoid such instances,” said Sivarama Krishnan, Partner (Risk Advisory Services), PwC India, who noted that many of these frauds are committed using social engineering techniques and basic computer skills. In a typical case, the account’s head or the CFO receives an email from the company’s CEO or Chairman, asking them to make a payment to a certain vendor.

The CFO checks the invoice and makes the payment without realising that the email was from a hacker who had masked the email address to appear to be coming from the CEO. Even the invoice is an exact replica of the original vendor invoice, with only the bank account number changed.

“In other cases, we have witnessed hackers getting access to the ERP system and changing payment details – thereafter payments happen automatically. This, however, is the toughest thing to do,” Jaju said.

Hard to detect

Often, the company doesn’t notice these frauds for weeks, which gives the hackers enough time to encash the money and disappear.

Even if the attacker gets identified, it is almost impossible to get the money back.

“Hackers mostly target companies that frequently make international transactions, so that payments are done to international banks, delaying any investigations.

“Since both the hacker and the companies involved are usually international, it is difficult to even get a case registered in India,” said Advocate Prashant Mali, Cyber lawyer and cyber security expert, who said many of his affected clients often decide to claim insurance for the loss rather than reporting the incidence.

Current figures

According to the Reserve Bank of India, 9,500 cases of credit cards or ATM/debit cards, and 9,362 cases of Internet banking frauds were reported during 2013-14 and April-December 2014, respectively.

This resulted in losses of ₹78 crore and ₹60 crore in 2013-14 and April-December 2014, respectively.

However, the ONGC case alone overshadows all these cases in the last one year and it is believed such attacks are only likely to increase.

Published on December 07, 2015
This article is closed for comments.
Please Email the Editor