Invoice fraud and CEO spoofing
June 8, 2020
If you stop and think about it, you already know how to beat invoice fraud and CEO spoofing.
It’s not hard for fraudsters to find out business invoice details (even down to payment dates) and then pose as regular suppliers.
You know if the ‘supplier’ contacting you might not be your supplier. You know you should always validate requests to change payment details. You know if something in the request doesn’t quite add up.
If you receive an email from your CEO or another senior member of staff asking you to make an urgent payment outside of normal procedures, don’t automatically follow their lead.
You know if the ‘CEO’ emailing you might not genuinely be your CEO. You know if something in their tone or request doesn’t add up, or if something they’re asking doesn’t feel right. You know you should always validate requests to change payment details.
It’s just that when you’re busy, or under pressure, it’s easy to forget this.
By following some simple steps you can beat the fraudsters:
- Don’t assume an email or phone call is authentic. Are they who they say they are? Is it really one of your suppliers? Is it really your CEO? Take time to think. Take time to check.
- Are they supplying the right information? It’s easy for a criminal to pose as your supplier and ask you to change bank account details, or pose as your CEO, emailing to ask you to make an urgent one-off payment. It’s also easy for you to call your real supplier, or your CEO and check!
- Listen to your instincts – you know if something doesn’t feel right. If it feels wrong then it probably is. If you suspect a request isn’t from your genuine supplier, always question it. Always validate requests to change payment details or make one-off payments. Take time to call them back on a number you’ve used before.
- Don’t be rushed or pressured into making a decision. Remember to stop and take time to carefully consider your actions.
Share this news story...
Section 199 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced a new corporate offence that significantly raises the bar on fraud risk management. Large organisations can now be criminally liable if an employee, agent, or other associated person commits fraud for the organisation’s benefit—and the organisation did not have reasonable fraud prevention procedures in place. This is a strict liability offence. Prosecutors do not need to prove senior management knowledge or intent. If fraud occurs and the organisation cannot demonstrate an adequate prevention framework, liability follows. The only defence: reasonable procedures The sole statutory defence is that the organisation had reasonable procedures in place to prevent fraud, or that it was reasonable not to have such procedures. In practice, regulators have made clear that “reasonable” will be interpreted robustly. Organisations should be acting now to: Conduct a documented fraud risk assessment covering business models, revenue streams, incentive structures, third-party exposure, and jurisdictional risk. Design proportionate prevention controls aligned to identified risks, including financial controls, approval thresholds, segregation of duties, and oversight of agents and intermediaries. Set the tone from the top , with clear board ownership, senior accountability, and demonstrable commitment to fraud prevention. Implement targeted training and communications so employees and associated persons understand fraud risks, red flags, and reporting routes. Maintain monitoring, reporting, and review mechanisms , including whistleblowing channels, audits, and periodic reassessment as the business evolves. Evidence everything . Policies without implementation, or controls without records, will not support a defence.
Thank you to everyone who attended one of our fraud prevention webinars in 2025. For those who missed them, you can now watch all the recordings at your convenience on the SAFE YouTube channel. Whether you want to find out more about the drivers of fraud, or explore strategies for preventing emerging threats such as dual employment and imposter fraud, we've got a webinar for you. All the links you need are below, and we've included links to additional resources available elsewhere on the SAFE website.
SAFE – Security and Fraud Experts and Dorset HealthCare University NHS Foundation Trust are proud to be part of Project WISE (Workforce Integrity and System Efficiency), a proactive initiative using data and advanced analytics to strengthen fraud detection across the NHS. The NHSCFA estimates that £1.346 billion of NHS funding is vulnerable to loss through fraud, bribery and corruption in England. With fraud posing a significant risk to NHS resources each year, we’ve joined forces with the NHS Counter Fraud Authority and four other NHS organisations across the South East and South West to pilot this first-of-its-kind initiative. The pilot is helping to identify emerging fraud risks and patterns, turning complex data into actionable intelligence that supports local and regional counter fraud teams.
