Easy-to-miss fraud risks impacting A/P, Finance right now

Between internal fraud risks, cyberattacks and stolen checks, being on guard against fraudulent activity can become an all-day, everyday concern for your A/P department.

For instance, the number of fraud complaints nationwide averaged 2,300 per day in 2021 (up from 1,300 daily complaints in 2019), according to the FBI Internet Crime Complaint Center’s (IC3) Internet Crime Report.

Business email compromise scams have a lot to do with it, with nearly 20,000 complaints to IC3 in 2021. The news that a county government in New Mexico was fooled by a Kenyan national living in the U.S. into paying over $447,000 because it thought he was an approved vendor may have you concerned that the same thing could happen to you.

According to a report in the Albuquerque Journal newspaper, a legitimate-looking email from a tech vendor asked to change payment methods from check to ACH. But staffers didn’t follow the county’s verification procedures and called the contact phone number listed in the email instead of looking up the valid phone number in the master vendor file.

Later, an email arrived from the accounting department of the real tech vendor asking why hundreds of thousands of dollars in legitimate invoices hadn’t been paid.

The county recouped some of the money, but ultimately was hit with a net loss of more than $216,000. Since then, internal controls have been beefed up to include an “enhanced multi-level” authorization process for verifying changes to a contractor’s payment method.

Watch out for these fraud attempts

With more than 323,000 complaints reported to IC3 in 2021, phishing email scams that involve links to malware or data-stealing spoof sites are a favorite of fraudsters. They’re easier to miss now because cybercriminals are recruiting native English-speakers to compose the emails – eliminating the obvious scam attempts with spelling and grammar errors.

But workplace email phishing isn’t the only method crooks are using to rip off organizations like yours. Here are some easy-to-miss risks staffers need to know about.

Unnecessary details in a staffer’s out-of-office message can be used to craft a targeted social engineering scam. All fraudsters need to get started is to receive an automated email reply or reaching a voicemail announcing someone’s out of the office. For example, if a criminal knows that an executive is out of the country for a week attending a conference, the crook has enough specific details to impersonate them via email and target someone in Finance to request a payment or “update” bank data.

Some out-of-office message best practices to consider:

• Adjusting your email settings so that your out-of-office message is sent to contacts only
• Suggesting an alternate contact while you are unavailable, and
• Avoid oversharing. Don’t include where you’re going or why, your personal cell phone number or an alternate email where you can temporarily be reached. Just say you’ll have limited access to email and will return the message as soon as possible.

Speaking of oversharing, another way A/P can inadvertently open the door to fraud is leaving sensitive banking change information on the voicemail of a vendor rep. Consider creating a vendor voicemail policy or a script your people can follow that requests a call back. That keeps them from giving out too much information at once.

According to security software company KnowBe4, phishing scammers are able to use CSS code to hide “external sender” email warning flags from IT to impersonate someone within the company. So IT will need to adjust its cyberthreat strategy accordingly. When in doubt about an email domain, Whois.com/whois is a site you can paste domain addresses into for verification.

Also, greater care must be taken when browsing the web because the “S” in the “https://” at the beginning of a URL is no longer a guarantee of a verified, safe site. Hackers are able to obtain SSl certificates much easier than they should.

With the data of professionals now for sale on the dark web as a result of a data scraping incident, phishing attempts are being made via LinkedIn to entice your team members to provide corporate email addresses or phone numbers, sensitive login credentials and even financial information. Some red flags to watch for:

• Messages from people you don’t know personally
• Job postings that sound too good to be true or ask you to pay something up front
• Urgent messages that your profile is being deactivated or requesting confirmation of your LinkedIn account
• A non-LinkedIn domain email address or a hyperlink that’s not a LinkedIn.com webpage, and
• Messages asking to install software or open an attachment.

Fraud hitting even closer to home

A/P consultant and trainer Debra Richardson noted in an IOFM webinar that A/P pros need to be extra cautious about fraud right now because of an emerging international trend of stronger employer actions being taken against Finance pros.

She said that in one case in the UK, an employer unsuccessfully tried to sue an employee for mistakenly sending more than $100,000 to a cybercriminal. In Australia, a $61 million fraud loss led to a company firing its CEO and CFO, and then trying to sue them, according to Richardson.

That means Finance pros need to be vigilant about fraud – not just to look out for your company’s interests and your vendors’ interests, but also to protect yourselves. Richardson said that even though they can be hacked, password managers significantly reduce the risk of business fraud because they generate long passwords, prevent reuse of passwords and prevent automatic logins to spoof sites.

To stay on top of evolving fraud threats, it’s good to periodically check these sites:

• IC3
• IRS, and
• Better Business Bureau.