One of the issues keeping treasury departments up at night is a new version of fraud called 'Business Email Compromise' where intruders masquerade as the CFO / CEO and create emails in the hope of persuading authorized signers to issue electronic payments on their behalf. Due to the social engineered aspects of this type of scam every area within a company, not just treasury, needs to be aware of this type of fraud if a company wants to avoid being 'phish bait'.
The scam starts with someone hacking into a company’s email system by “phishing” for an employee who will click on a too good to be true email or even one from a friend (beware that wrong domain name). Once inside a company’s email system the scammer waits until certain facts are uncovered:
When will senior management be out of the office?
Who is responsible for preparing, reviewing and authorizing out going disbursements?
Once these simply facts are learned the perpetrators start to work by posing as a senior manager (CEO, CFO, etc) and sending “urgent” emails to those in the disbursement chain.
Often these emails arrive late in the week or day making it difficult to reach out to the supposed sender or even the bank. The objective of this scam is to get an authorized signor / sender to willingly release funds from the company’s bank. Often these requests contain the need for those receiving the email to maintain secrecy.
Example: The Controller at a recent client (a multi billion dollar company) received an email that looked like it came from the CFO asking the Controller to send an urgent wire to a beneficiary for a 'secret' business purpose. Relatively speaking the amount of the transfer was small. The email ended by thanking the Controller for his help.
- The Bad News – someone had penetrated the company’s email system. Upon closer inspection the CFO’s email address was one character off.
- The Good News – This attempt at scamming the company failed because the Controller knew that the CFO never says “Thank You” in his emails. He took the extra time to confirm the content and purpose of the funds transfer request.
While this example ended happily enough this type of scam requires an enterprise wide solution to prevent a company from remaining vulnerable to this type of socially engineered scam. Issues to consider
Email Security - Who has access to authorized email addresses and how to insure only authorized email addresses can communicate to others in a company? (IT Security upgrades?)
Access to the Internet - Why do employees continue to click on questionable emails? (Employee training required?)
Proper Documentation - Should emails serve as the only documentation required to disburse funds? (Policy update on proper documentation from a 3rd party?)
Funds Transfer Authorizations - Who is allowed to prepare, review, and authorize disbursements? (Policy updates on level of approvals based on amount, purpose, etc?)
Bank Liability – banks have no liability in these situations although they will often help to recover funds on a best efforts basis. After all, legitimate authorized individuals asked the bank for funds to be transferred. (Need for different insurance coverage? Depending on your policy normal insurance may or may not cover this type of fraud.)
Use of Bank Accounts for Disbursements - Does the treasury department maintain absolute control over all bank accounts at all banks, including those supposedly closed and are 'real' disbursements restricted to only a select few accounts?
Authorized Beneficiaries - Who are the approved recipients of a company’s funds? (Update policy on use of 3rd parties like suppliers, payroll vendors for business purposes?)
As you seek to prevent your company from becoming phish bait consider this simple two part question: 'Have we ever sent funds to this beneficiary at this bank account before?'
By asking this question it could be possible to stop this scam in its tracks. After all, the scammer is seeking to become a 'legitimate' beneficiary of funds to be sent to a bank account that they control. (i.e. the request and approval is fake but the beneficiary is real even if you do not know them)
Unfortunately, asking this question may be simple but the actions required by your company to phish proof itself may not be. Change will cut across organizational entities and their normal responsibilities. Also, think about the second part of the question above. A clever scammer can even masquerade as a legitimate supplier then direct your AP area to change previously approved banking instructions. Therefore, the next 'legitimate' request from a previously approved beneficiary will go to a new bank account they control.
Steps to take in 2016
While each company’s organizational structure and culture may present some unique challenges consider the following as a starter set toward making your company phish proof:
- Secure Your AP Master Vendor File - Most companies have thousands of vendors in their AP master file but few companies vet their vendors (i.e. we received an invoice; The “CFO” said it was ok to pay, let’s process and pay it). Fewer still are equipped to know which beneficiaries maybe on a restricted 'no fly' list (e.g. a list maintained by the Office of Foreign Asset Control or OFAC or other regulatory bodies).
- Restrict Disbursements to select bank accounts from your 'preferred provider' banks. This action may result in a more centralized approach to disbursing funds but should have as a goal restricting payments to only a few banks where transactions can be monitored daily, not just after the normal monthly bank reconcilement.
- Trust, but verify – Create a process that seeks to verify the identities of both sender and receiver of a funds transfer request. For electronic payments comparison of requests received against highly secure and frequently verified authorizations lists can help. As appropriate, create a confirmation process when 'strange' and 'urgent' requests are received, say by using a different form of communication like voice to a trusted phone number.
Finally, look on the bright side. You now have an excuse to actually talk to your CFO, person to person.