The Aramco-ONGC Fake Invoice Case

Fake Invoices

Fake Invoices: The New Monster Indian Companies Have to Face?

As we launched our new service, Email Auto Protect, we had to study a lot of previous invoice fraud cases. The losses were huge, the number of victims well beyond anything we’d imagined. There was one particular case of a Saudi Oil giant that caught our eye. Read on to gain a little more clarity on the nature of fake invoice scams.

The Saudi Aramco Fake Invoice Case

A little while ago, the Saudi Aramco, one of the largest fuel organizations in the world, received an invoice for the amount of Rs 197 crore from India’s ONGC (Oil & Natural Gas Company). The invoice was exactly similar to other invoices Aramco had received from ONGC in the past. What the executives at Aramco who received the invoice failed to notice, was that it had come from a spoofed email id. It was the normalcy of the entire thing — invoice comes, invoice looks proper, invoice is paid — that made Aramco lose the entire sum of 197 crores to a hacker. The executive released the funds as usual, without realising that he was sending the amount into a wrong bank account.

It was only two weeks later that the full gravity of the situation surfaced. ONGC sent a reminder to Aramco for the pending payment. Chaos probably ensued, and then Aramco realized their mistake.

What Can We Learn From this Case?

The first thing to notice here is that fraudsters rely on the routine aspect of invoicing to successfully slip in a fake invoice. A giant like Aramco would have to deal with countless invoices. It does not seem humanly possible that the executive in charge would remain alert while paying all of the invoices. You must have observed another thing: the stakes are huge. The hacker, without having had to move a muscle, was suddenly in ownership of a staggering 197 crore. But one thing is sure, such fraud invoices are not noticed until it is too late. Often, it is the supplier itself who asks for confirmation of payment. In this case, ONGC didn’t. It was the buyer — Aramco — who sent a payment reminder. As per business etiquette, the buyer waited a polite number of days before nudging for payment. By this point it was too late.

Authorities Speak on Fake Invoices

“This is an alarming phase, since we see such cases crop up every day – this is a very realistic and evident cyber-crime challenge that India is facing,” said Amit Jaju, Executive Director, fraud investigation & dispute services, at a London-based professional services company.

“We have seen payments in the range of $100,000 to $200,000 being made to hackers. We have witnessed instances where genuine invoices were tampered with and injected into an email chain,” he said. He went on to remark that one of the biggest reasons for the rise in such attacks is the simplicity behind it. The world is slowly going cashless. There is more reliance on digital transactions, an avenue cyber-criminals know how to exploit.

How can Email Auto Protect help you?

The size of your organization stops mattering. As we saw before, pulling off invoice fraud is relatively easy, with a large turnout for the criminals. Since every company in the world deals with invoices, every company in the world is a potential target. Invoice fraud or scam can only be prevented by establishing a process or a protocol between the supplier and the buyer.

The process is as follows –

Step I – Subscribe to Email Auto Protect solution from Logix

Step II – Assign a designated email id (preferably) which will be used to send invoices. If you have any Application/ ERP for invoicing, rather than emails, you can easily configure it with Email Auto Protect.

Step III – You are all set. You can start sending invoice attachments with the designated email id.

Inform the buyer that the invoice will be delivered to the intended recipient who will be able to view the Invoice in Rights Protected mode, and with the watermark.

Step IV – The most important step is to ensure that the buyer does not honor/act on any invoice or payment related communications which is not following the norms of the Rights Protected protocol. If the invoice does not contain a watermark, or is not locked in View Only mode, you can easily make out that something is wrong. Now, any buyer can immediately identify fake invoices.

By following the above steps fake invoice accidents can be prevented.

Leave a Reply

Your email address will not be published. Required fields are marked *

Continue to chat
Hello 👋
Let us know how we can help you!