We are on Part 5 of Antidote to the Wire Fraud Epidemic.
As you will remember from our previous segments, we talked about:
- What’s happening with the Wire Fraud Epidemic
- How this scam works
- Why this scam is so successful
And now we focus on how do you fight it? This segment is on accounts payable controls that you can implement like:
- Have 2-step call back verification
- Have proper documentation and support for any change requests
- Verify sender email for legitimacy
- Set up company policy on proper support for cash disbursements
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
When we talked about fighting; prevention is the key. Share information about this scam with your teams and then implement internal controls immediately to prevent this from happening.
The first recommendation is to implement a 2-step call-back verification process when you are setting up payment instructions for new vendors or making changes to payment instructions for existing vendors. What do I mean by a 2-step call-back?
When you receive a request by email from a vendor, we don’t know if it is fraudulent or legitimate. Pick up the phone call the person who requested the change at a known phone number for this particular person. Do not use the phone number listed in the email. This is where we’ve had cases where the email actually says “I have just switched my phone number” or “Here’s the new information. You can contact me here for clarification” and of course, the new phone number is for a fraudulent person. The first step is when you get the approval, that’s great! The second step is to give them at call a known phone number and verify it with a live person whose voice you recognize.
The second control we recommend is for existing vendors who request changes to their bank information. Get the request on their company letterhead and call the vendor contact using a known phone number to confirm the request is valid. Do not just take an email request hat says, “Hey! Can you change my banking information to xyz and such routing number and account number?” Graphic designs are so good right now in this digital age that someone could just create a company letterhead without you knowing it. But at least they have to go through the trouble of creating fake documents. Most scams are about easy opportunity. That’s why we also suggest calling the vendor at a known contact number. When you pair this written request with the 2-step call-back system, you know that this is a legitimate request from a real vendor.
The third control we recommend is verifying the sender’s email address if and when the request is out of the norm. In our example of [email protected], they transposed a letter and switched a minor thing. If you’re busy, if you don’t really notice, our eyes read what we want to see and we think that “Oh! That’s Gmail”.
Well, we actually had a case of an email where it was sent from a domain name, where the spammers inserted an extra “i” in there so there were 2 “ii”s. When your eyes look at it very quickly, you don’t notice until someone inspects it further. So closely inspect the incoming email addresses and domain names for anomalies and transposed letters.
Fourth, implement company policy, specifying outlining the acceptable forms of evidence and support needed before cash disbursements can be made. For example, do not accept just email request for emergency transactions/wire transfers. Ask the requestor for a vendor invoice, signed agreement or other forms of evidence rather than just an email that says, “John said OK as you can see below”. Email alone is not proper support.
To recap, we discussed four AP controls that you can use fight fraud, specifically: