There are many ways fraudsters are attacking companies right now. One of those ways is to impersonate a person of authority at your company in an email and request a payment, usually urgently. In this post, we’ll break down that scheme and show you some ways to build a strong defense to avoid it.
It looks like this:
An email is sent from an executive to an accounting team member asking for an urgent payment. Depending on the company, this happens from time to time and might not seem that unreasonable. The accounting team member sets up and releases a payment on those instructions to an outside account. Little does the accounting team member know that the email was not sent from the executive – it just spoofed her/his email address and the fraudsters just received some of the company’s hard-earned money. These “phishing” attacks happen regularly, both in the personal world and business space.
What to do
This is a fairly simple ploy, and with a little training and a few changes, this can be easily avoided. Here are the steps to take to reduce the risk that this ever has any impact on your organization.
Step 1: Personal confirmations
If a payment request is coming from an employee, in most cases, you should be able to confirm the instructions with the employee before moving forward. Send the person a quick text, chat, or phone call to confirm (remember not to just reply to the email that was sent – use other channels or start a fresh email to the person’s work email address).
Step 2: Training & Reviews
Inform your team of these schemes when they are hired and send around (clearly marked of course) any fraudulent emails when they do come in so that the team is aware of the ploy and what they look like. Have your team carefully review all new emails that come in (especially ones requesting a payment or requesting a new vendor to be set up) to verify that the email address and details are appropriate to the sender. If an executive is sending an email, it should come from their official work email only.
Step 3: Only pay invoices
Have a policy in place where you only pay amounts from invoices that have been approved by multiple people. If an urgent payment request from an executive is common at the company, you may need to make organizational changes so that those are not needed. If these actual requests are either infrequent or not allowed, the fake requests will be that much easier to spot.
Step 4: Look at where the payment is going
If the payment is going to a foreign country, your level of suspicion should go up. If you have never done business with this organization before, your level of suspicion should go up. If something doesn’t seem right, ask more questions.
Step 5: Email settings
If you use Outlook, you can have your IT team set up rules to block emails that are coming from outside your organization that appear to be from someone from inside the organization. In layperson’s terms, the rule would say: If an email from outside my company says it is From “[executive name]”, then quarantine the message. You can also whitelist certain emails that are known (like an executives personal email address) so that they go through and avoid getting caught in this rule. Talk to your IT team about whether you can add this for your organization if you receive a lot of phishing emails.
Step 6: Use a System
Putting in place an AP automation system, like AP genie, with controls over invoices, approval workflow and authorizations will dramatically improve your fight against fraud. Even if an urgent payment comes up, put it through the system and have the appropriate people approve to make sure there are no issues. Approvals can be done extremely fast with AP genie’s automation and easy to use mobile app, making even urgent payments possible to process at lightning speeds.
AP genie can help!
Ready to learn more? Find out more information here or sign up for a free trial of our advanced AP automation system here. Together, we can help your team fight fraud and become more efficient, so your team can work on more value-added items while leveraging technology.