Purchase order cyberattacks: 7 due-diligence steps to take with all vendor emails to A/P

Increasingly clever cybercriminals are out to take your company’s money. They’d even stoop so low as hacking you with a purchase order that looks real.

For example, emails with an attachment disguised as a purchase order can contain links to a bogus site that looks real enough to trick users into sharing sensitive account information.

Because of the volume of email your team handles, and because sometimes these emails can slip though both spam filters and your external sender email warning filter, you could be vulnerable to an attack (or a fraudulent billing scheme) that’ll cost a lot of money to mitigate.

Purchase order attachment best practices

Some important security reminders to pass along to finance staffers:

1. Remember that malicious links can easily be hidden in Word documents and PDFs. The only truly safe attachment format is a .txt file.
2. Double-check email sender details. If the sender is unfamiliar or if something seems off about the address, it could be suspicious.
3. Remember that organizations like Microsoft, your company’s energy suppliers, IRS, the U.S. Postal Service and many more, generally don’t send emails to ask you to open a website to restore some setting or open a purchase order or an invoice.
4. If an email attachment comes from someone you know, but normally doesn’t send purchase orders, hold off on opening it and call the sender to verify that it came from them.
5. Be suspicious of any email that asks you to open an attachment, or click on a link, to specifically avoid a negative consequence (e.g., a late fee) or to gain something of value (e.g., an early payment discount).
6. Be suspicious of any attachment that asks you to open an embedded link because scripting or editing is disabled.
7. Don’t open personal emails on company-owned devices and vice-versa.

Finance also needs to watch for these

Speaking of links to malicious sites, your team needs to take extra care with their Google searches. The FBI’s Internet Crime Complaint Center has issued a warning about cybercriminals taking advantage of search engine advertising to impersonate brands and fool unsuspecting users into clicking on links that host ransomware and steal login credentials and other financial information.

Also, a purchase order warrants a closer look if any of these are involved:

• Unexpected changes in pricing
• Staffers processing on behalf of vendors outside of their normal job duties
• Vaguely defined services
• It’s been amended after the invoice has been submitted (An after-the-fact purchase order might just be a requisitioner, buyer or vendor that’s out of policy, and not necessarily committing fraud.)
• Identical items purchased in different amounts simultaneously, or within short periods of time, or
• Recurring purchases that fall just under your review/authorization thresholds.