Supplier invoice fraud is continuing to present a significant threat to businesses in the UK. UK Finance has reported that invoice fraud losses hit £50.3m in 2023 which represents an increase of 2% on the previous year.
Invoice fraud tends to arise in circumstances where either (i) a fraudster sets up an email address that is very similar to the actual supplier’s email address or (ii) the supplier’s genuine email address is hacked. In both circumstances, the fraudster will tend to change the payment details in the invoice so that the payment is sent to the fraudster’s bank account.
What is the contractual position?
When invoice fraud has taken place, the supplier may allege that the customer is in breach of contract for failing to pay the invoice amount and seek to bring a claim against the customer for the outstanding amount.
It is important to check the terms of the contract to see whether the contract allocates the risk for invoice fraud and/ or stipulates the manner in which payment is to be made for goods or services. This is likely to be the starting point for any decision made by the Court.
What have the Courts said?
One example of a case where invoice fraud has been considered is the County Court case of J Brazil Road Contractors v Belectric Solar Ltd. In this case, a supplier’s e-mail account was hacked and the account details on the invoice were changed. The customer paid the invoice amount to the account details provided on the invoice amended by the fraudster. The Court ultimately found that the customer was still liable to the supplier for the amount on the invoice on the basis that the supplier was completely unaware that the interception had occurred.
In other cases, the Court has taken the approach that if a customer is able to demonstrate that the supplier was aware that its email account had been hacked and continued to use the account, the supplier is much less likely to be entitled to payment.
How can I protect my business from invoice fraud?
If you are a supplier issuing invoices, we would recommend that you have a provision in your terms and conditions making customers aware of how any changes to your payment details will be communicated. You may wish to put in place a cyberfraud policy so that your customers are aware of the steps they should take prior to making payment and ensure that your business implements ongoing security measures to keep your email account secure.
If you are a customer making a payment, always phone the person or company on a trusted number to confirm any account details you’ve received. Also make sure the name on the account matches the company or person you’ve been dealing with.
What should I do if I have been a victim of invoice fraud?
In the event that you discover that you have been affected by invoice fraud, there are a number of steps that can be taken to try and mitigate the situation:-
- Immediately notify your bank
- Report the fraud to Action Fraud and obtain a crime number
- Check your insurance policies and make an insurance notification if you have relevant cover
In view of the fact that this is a new and evolving area of law and very case specific, we would always recommend that you seek legal advice at an early stage.
This article was written jointly by Catherine Mathews, partner and Laura Stanley, associate, in our Commercial Dispute Resolution team. If you wish to discuss anything mentioned in this article, please contact the team, they will be happy to help.