Updated: Jun 11, 2020
Author Debra R Richardson
We all know about fraud in Accounts Payable. Whether it’s fake invoices or cybercriminals masquerading as vendors or your boss to get you to send them money. Companies need to not only provide awareness training, but also create or update their AP or Vendor Policy and/or desktop procedures with authentication techniques, internal controls and best practices to protect ourselves, our team, our company, and our vendors from fraudulent payments. But when that is not done, or not updated or you’re not comfortable it will fully protect you – there is more you can do to protect yourself.
Fraud is Evolving and So Are the Actions That Companies Are Taking Against Employees
According to the FBI 2019 Internet Crime Report, Business Email Compromise (BEC) involves a criminal spoofing or mimicking a legitimate email address and using social engineering tactics like urgency, to trick employees into fraudulent payments. The FBI reported that in 2019 their Internet Crime Complaint Center (IC3) received almost 24,000 BEC complaints that resulted in $1.7 billion in losses.
You probably know of someone that has received a write-up, note in their performance review, or that have even been terminated as a result of falling for an email scam. Employer actions are evolving too.
In two different business email compromise (BEC) instances, employees were duped into sending cybercriminals wire transfers, and here is what happened to them:
In one instance a worker in the financial industry made three wire transfers totaling $511,870 to third party bank accounts without confirming with the client. This violated company policy and the employee received not only a 45-day suspension but also a $7,500 fine.
In another instance, a UK employee was actually sued for allegedly not following company policy when they transferred $200,000 based on an email they thought was from their boss (who was on vacation). The bank was able to recover all but $138,000 and the company sued the employee for that amount. In the end, the judge ruled in favor of the employee.
In the last case, part of the employee’s defense is that the company had not provided security awareness training for over four years.
Whether your training was last week, last year, a few years ago or never – here is what you can do next to protect your self from an email scam today.
Follow the Processes Your Company Has Put into Place and Add More
Did you receive a calendar invite for a Security Awareness Training session? Accept and pay attention. If you are given a reference guide to put on your desk put it there and refer to it. Didn’t receive one? Make one to use (and share it with others). Do you have one of those PhishER phish alert buttons? Know how and when to use it.
Your #1 priority should be to follow the policy and/ or procedures that your company has put into place and document that you followed the process.
You may, however, get a really suspicious feeling about a particular email – it’s not in the same tone as historical emails. Below is a typical scenario where you call a vendor to confirm a banking change, but with an Authentication Technique, Best Practice, and Internal Control that you can add if not already in your policy or procedures:
You check their vendor record for contact information
Verify the email domain matches the email domain on the vendor record
If no, and is spoofed, report email, otherwise
Authentication Technique: Reply and ask at least two authentication questions, such as last 4 digits of tax Id and last 4 digits of existing bank account number they are attempting to change. Pass Authentication? Yes - Get their phone number and listed contact to call. No-Reject request.
If yes, get their phone number and listed contact to call, preferably a different contact than who is on the email.
You call the vendor for confirmation but ask for a different contact than who is on the email.
You document the Contact Name, Date, Time on a Confirmation Log
Best Practice: Document the source of the request for change. Print Email and Attach to Vendor Record in Accounting System/ERP or designated restricted and secure system folder.
Internal Control: Get Additional Approval if the email includes a request for a Wire Transfer
If you receive pushback from the vendor or internal stakeholders bring in your leadership for support. You are protecting yourself, your team, your company and your vendors.
About the author: Debra Richardson has over 20 years of experience working with Fortune 500 companies in various Finance Operations positions and now works with Accounts Payable Teams to prevent fraud.