Why an invoice approval process could save you $49,860

Do you remember when the Pope’s puffy jacket was trending? How about the croissant dinosaur? Convincing, no? Fifty-two percent of business owners say they’ve been fooled by AI content. Most is harmless. Some is not.

Since the launch of ChatGPT, companies have received 4,151% more scam emails, and some are quite convincing. They are increasingly written about your actual business, name people who work there, and attach real-looking invoices, like the one below, which we caught.

This is known as a spear phishing email—worse than just “phishing” because it doesn’t target just anybody, it targets someone specific. In this article, we explain how we caught the email and why using a simple accounts payable approval process can protect you too.

Why are scammers targeting accounts payable (AP)?

Spear phishing attacks target your accounts payable (AP) department because it’s the quickest way to get your money. It’s faster and less complicated than holding your company’s systems for ransom, as it hijacks a process you already have. It’s all too easy for you or your team to accidentally send thousands of dollars to a fake vendor before realizing it’s a scam. One in three small businesses were affected by cyberattacks like this last year, says Microsoft.

Protect yourself with two things:

1. An invoice approval process

A good invoice approval process creates accountability by:

• Having person A, who ordered the service, approve the invoice
• Having person B pay the invoice only after approval

It sounds simple, but many businesses don’t enforce this, and it can expose them to spear phishing and hurt their cash flow. If you enforce this process and require vendors to send invoices for you to approve first, it means you can control when you pay—and wait the net 30 days rather than paying immediately with a card or ACH transfer. This keeps more money in your bank and it’s just good business sense.

Plus, do not forget these steps:

• Get the details—When onboarding a new vendor, always identify the right billing contact and contact info: name, title, email, website, and physical address.
• Ask all vendors to add line items to their invoices—That way it’s obvious when you didn’t order something.
• Stay consistent—Ask all vendors to invoice to the same place, such as an email inbox. This makes odd invoices all the more suspicious. 
• Pick approvers who actually know the vendor—Otherwise, this process may not work.

2. Write out a phishing policy for your AP team

Phishing scams are difficult to stop because they target your people, who may be less hardened against cybercrime than your software systems. Create a phishing policy that outlines how to verify payment requests, report suspicious emails, and respond to phishing attempts. Then, train your team to recognize phishing scams. They should look out for the tell-tale signs of phishing emails like:

• Pushy and overtly urgent tone
• Weird email or domain
• Odd logo or design
• Strange, ungrammatical wording
• Unusual request for help
• Mention of vague products

Plus, stay safe with these precautions:

1. Don’t click links or scan QR codes
If the email asks you to click to visit their website, don’t. Go there directly. Open a browser and without copy-pasting, get to their site on your own via Google search. (Some scammers even set up fake versions of websites.)

2. Don’t trust anyone—instead verify
IT teams call this best practice “zero trust.” By default, trust no one. Inquire kindly. Honest people won’t mind being questioned, whereas scammers will often grow frustrated.

3. Never share passwords
Use a password wallet and two-factor authentication (2FA) settings where the app texts you a verification code.

4. Act immediately 
If you’ve clicked an attachment and realize it may be a scam, contact your IT team. If you paid a bill you now suspect is fake, call your bank or bill pay provider to attempt a reversal. If you use an outsourced IT firm, call them. (If you haven’t already, ask them for a 24-hour contact in case you ever need to reset login credentials.)

You can also take these steps to report the scammer:

• Visit IdentityTheft.gov for official guidance.
• Forward phishing emails to the government’s Anti-Phishing Working Group at reportphishing@apwg.org.
• Forward phishing text messages to SPAM (7726).

In any event, an AP process is a good idea

Beyond potentially saving you $49,860 every now and then, a good invoice approval process helps your cash flow. It’s part of being a more serious business and ensuring you’re growing, staying profitable, and having a bit of a buffer in the event a scam does get you.

Have any questions about AP? Found this useful? Write us at info@pilot.com.