The threat of fraud and cyber-crime is not new, however so much happened over the last few weeks that brought it to the forefront of my attention, and made me realise how vulnerable a company can be to such attacks.
A client was defrauded of a substantial amount of money; the way in which the fraudsters worked was incredible. It appears as though they got access to the companies e-mail system and sent e-mails from the directors to payroll. The e-mails contained new bank details for an employee, for their salary to be paid to.
Payroll actioned the request.
It raised a number of questions for me; would I have actioned the e-mail? I don’t think I would have, not without checking first, either way it proves that it can happen to anyone, so we all need to be extra vigilant.
I mentioned it to someone I work with, and they told me a story that shocked me even more. A few years back, he was called by his then CEO, who was away travelling, and was asked to set up an urgent bank transfer. He had a long chat to the CEO, and actioned the transfer.
It was not the CEO who had called him, but someone impersonating him!
I have since heard three other similar stories and it made me realise that this is just another reason for having proper systems and procedures in place for finance. The values we are talking about are in the thousands; so, could your company afford to lose thousands?
There is never going to be 100% protection from criminals, but what you can do is try and make it as difficult as possible for them to succeed.
“While it may not be possible to eliminate the risk of fraud altogether, a company can at least identify it early and minimize its damage with proper planning, policies and procedures.” – Ken Evans
So, what sort of things do we need to look out for? Barclays anti-fraud division has documented the most common methods of fraud:
Phishing emails are messages which claim to be from your bank, HMRC or someone you do business with. The scary thing is the sender’s address can often seem genuine. They often ask you to click on a link and give them confidential information,
CEO Fraud is when an email comes from your director, normally to the accounts department, requesting an urgent payment be made that day. This often happens when the director is out of the office, making it difficult to check,
Mandate Fraud is when you get an email, letter or phone call fraudulently requesting that you change payment details for a for a usual supplier or an employee. The payments are then directed to a fraudulent bank account,
Vishing Phone Calls are when the fraudster calls you pretending to be your bank, the police or an IT support organisation, saying there’s a problem and you need to act urgently.The aim is to get confidential information from you – including passwords or PINs,
Remote Working Issues: If you use unsecured Wi-Fi – whether a home router or public hotspot – people can snoop on what you are doing online and get confidential information from you,
In the Office: Anyone who you don’t know, whether they are suppliers, tradesmen or colleagues can pose a risk to our business’s security. Be vigilant and aware of the risk when they are around,
There are probably many factors that a criminal is relying on when targeting a company, but the main one is causing a sense of urgency, almost panic, that makes the employee react quickly and without thinking clearly.
What can companies do to protect themselves?
Be aware: because of his past experience, the finance manager I told you about earlier recently received an email from one of the owners of the company where he is working, asking him if he could do something urgent for him. He was aware and reported the email to IT and to the owner. It turned out that this was a Phishing email,
Slow down, take a deep breath and think about what you are being asked to do: In many companies it’s all rush, rush, rush and everything’s urgent. The fraudsters prey on this kind of environment.
Listen to your gut feel: If you are being pressurised to do something and it doesn’t feel right, then check, and even double check it,
Understand your finances; including methods of payment, who has authority to make those payments, and who checks that payments are legitimate,
Have processes in place for checking if a request from a supplier or employee to change their bank details is genuine. A simple phone call to your supplier (using a phone number on one of their old invoices), or go and see the staff member to confirm the request,
Make sure that there are controls in place at each step of the purchase invoice process; if the process for receiving supplier invoices, processing them, approving them for payment is haphazard then the risk of fraud is high,
Protect your email system by changing passwords frequently, and make sure that internet protection is something you take seriously.
If your CEO or senior manager is travelling and requests a transfer, have two separate methods to confirm the instruction. A facetime, or whatsapp video is quick and easy. Perhaps set a random verbal password which you change every week, which will be part of the conversation?
Get your management team and finance team together and identify the areas which could be targeted by fraudsters. Put an action plan in place to protect yourself and keep talking to each other to fine tune the plan,
One main problem that I see regularly is that finance is not taken as seriously as it should be. What I mean is that a finance role can be mixed with other roles, such as HR or office management; it is often under-resourced, a poor relation to the ‘money making’ departments. The more distractions there are for finance employees, then the bigger the risk of mistakes being made.
Money is the lifeblood of a business, so it needs treating with the utmost respect, and should not be an area that gets targeted as part of cost cutting measures.
It is evident that these types of crimes are on the rise, so be aware, and take action to protect your company. It’s worth investing the time and the money to make sure your IT defences and finance department are well equipped to deal with these kinds of threats.
MATS Consulting 