Welcome to the final part of Antidote to the Wire Fraud Epidemic which focuses on how you fight fraud with treasury controls.
As you remember, we have discussed:
- What’s happening
- How the scam works
- How this scam is so successful
- Controls to implement: 3 entity level controls, 4 AP controls, and 5 IT controls
In this segment we will talk about the 4 treasury controls that you can use to fight this type of fraud:
- Have dual approval
- Review user permissions
- Follow standard procure-to-pay approvals for wire payments
- Review bank activities daily or weekly
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
As we discussed, prevention is the key. Share how important this information is with your team. How it gets perpetrated and how they could be the gateway to a scammer. Now we are going discuss implementing the suggested internal controls.
Treasury controls are procedures covering the incoming and outgoing cash in a company. In this phishing fraud, the main way cash leaves the company is by wire transfers to international bank accounts. So it makes sense to put in place treasury controls to prevent cash from going out to the wrong people.
The first control we suggest is to require dual approval to complete a wire transfer. One person initiates the transaction only after receiving written supporting documentation such as a signed contract and a separate person approves the transaction after review of supporting documentation AND verbal confirmation from the requestor.
Remember from part 1of What’s happening? with this wire fraud epidemic is that the scammer is clever about disguising emails. The best way to prevent this is to pick up the phone or talk to someone live and “Hey, did you really request this wire?” Eventhough you have the support documents, we’re suggesting the 2-step verification.
One person creates the wire and a different person approves it to reduce the risk the email is fraud. By two people having to work through this, someone may say “Hey, we’re not working on a particular transaction. We’re not working on anything confidential, why is this request coming to us?”
The second control we suggest is to review user permissions in all your payment/banking systems. Verify that dual approval for proper segregation of duties in payment processing is set-up. We often find with our clients that they believe the system is set up right. They will say to us “Oh I can only initiate and Joe is the approver”.
When we actually go into the banking system itself, we find the system has not been set-up that way. Maybe when you first used the banking system, it was set-up right. Overtime, someone goes on vacation so you have to grant people access to initiate or to approve as the backup person. But when they came back from vacation,someone just forgot to go back into the banking system and review who have access to do what.
Again, review it even though you think all your banking systems have been set up properly. Log in as the administrator and take a look at each user in your banking system and verify what their approval limits are and what they are able to do.
The third control we will recommend is to require all wire approvals follow the standard procure-to-pay process so that all cash disbursement activities are subject to the various procure-to-pay controls. We discussed the AP controls or the procurement controls before.
One of the biggest reasons some company got scammed was because wire transfers followed a separate approval process and they were all recorded as journal entries. The wire transfers bypassed the vendor set-up process. They bypassed the PO/invoice approval process. They bypassed the 3 way or the 2-way match controls.We previously suggested AP controls. But unless you require wire transfer disbursements to follow that process, those controls don’t work. They can’t work because you bypassed them.
Here’s an example of a company where this happened. They have control in AP that requires creating a new vendor before a bill or disbursement could be paid. It required you to go through a vendor approval process and in order to release a wire transfer,you have to have all the supporting documentation.
Because the accounting team thought it was an emergency, they sent the wire transfer first, and then waited to set up the vendor. They have a person create the wire and a different person approved it but there was no supporting documentation behind it. They said “oh we’ll record it as a journal entry” instead of putting it through the AP process. By the time they had to record the journal entry and needed the supporting documents, they discovered the fraud.
Finally, consider reviewing your bank activities daily or weekly instead of monthly. The frequency of daily or weekly really depends on your business volume. If you are a company that has a lot of transactions each week, then maybe reviewing it each week is great. With some of our clients, they have thousands of transactions a day. So if you wait until the end of the week, there are maybe transactions that are happening that you are not aware of. This would help identify the fraudulent cash disbursement sooner than if you waited until the end of the month when you are doing the monthly bank reconciliation.
It also gives you a chance to recover the money. One of the key components to stopping a transaction is to discover it within 24 hours. You could call your bank or call the receiving bank to put a stop and unwind this particular transaction. The sooner you catch and identified the fraudulent cash disbursement, the easier it is to recover it.
Keep in mind that the fraud could have happen at the bank and not necessarily at your company. Meaning, a scammer has actually contacted the bank pretending to be you and they’ve convinced the bank to process a transaction. Many of the banks I work with said they have tightened controls now. Banks don’t do anything unless it’s through their banking system which has a lot of approvals and voice confirmations. The only way you as a company can be on top of it is by reviewing your transactions on a weekly or daily basis if you have a lot of transactions.
To recap, in this segment we described 4 treasury controls that you can use to fight this spear phishing fraud. They are: