02 May Are You Disciplined in Preventing Fraud?
Failure to Follow Controls
It happened again. This time, a county government in New Mexico electronically paid $447,372 in nine different disbursements to a criminal. The alleged fraudster may be a Kenyan, but he wasn’t posing as a prince trying to get a fortune out of the country. Instead, he was a resident of Rochester, NY, who very convincingly took on the identity of one of the NM county’s approved vendors.
The fatal flaw for the county was a failure to follow controls. The perpetrator emailed the county, presenting himself as the county’s IT equipment, supplies and software vendor, and requested a change in payment method from check to ACH. What happened next was a textbook violation of internal controls, and it is happening often enough to reward the time and effort put in by criminals.
An accounts payable staffer, receiving the change-of-payment-method request via email, thought she was doing the right thing. She verified the request through the vendor contact. The problem was that she contacted the vendor representative listed in the email rather than going to the vendor master file to find the authorized vendor contact.
That one failure of discipline led to the re-routed payments. And while the FBI recovered some of the money and insurance replaced more, the county still suffered a net loss of more than $200,000. The FBI caught the alleged perpetrator, but not before he had passed some of the money to unnamed co-conspirators.
Shortcuts and Business Email Compromise
Business emails can be compromised! But fully following the proper controls can protect your company against fraud. In this case, an AP person thought she was doing right by calling the vendor to verify the request. But because she contacted the source listed in the email, she played into the criminal’s hand.
Either she took a shortcut, or the control policy was inadequate in not specifying that vendor contact must be independent of the change communication. Controls must be thorough and thoroughly enforced. And staff must be trained to follow the controls and instructed on the reasons for them. Pressures on AP can encourage shortcuts, especially if staff do not understand the reason for the control.
Further, the county did not verify the vendor’s bank account. There are three critical elements to prove a legitimate account: account ownership, the account number and the bank routing number. That’s how you know the money is going where you think it is. Fail to do that, and you are rolling dice.
The county did not discover this fraud until the actual vendor contacted it looking for payment. After two weeks and two attempts to reconcile payments, the county realized the email and sender were fraudulent and accounts payable had fallen for an email confidence trick.
How to Avoid Falling Victim to BEC Fraud
AP fraud stories usually point either to a lack of internal control or a control violation. Two controls could have prevented the loss in this case of business email compromise. The first is verification of a pay change request with a vendor contact independent of the demand for the change. The scheme would not have gotten off the ground if an AP staffer had gone to the master file for the vendor contact.
A second control is to verify bank account ownership and account numbers. Companies can verify vendor accounts more easily today than ever before. And with the increase in electronic payments, it is vital to protect against fraud.
By authenticating the bank routing number, account number, and account ownership and then following the control of referencing a valid contact documented in the vendor master file, a company can avoid falling prey to compromised emails. Unfortunately, perpetrators of business email compromise are good at what they do. They often take weeks or months to set up their victims through innocuous email messages before making their move. But internal controls followed with discipline will protect companies.
Contact us to find out how VendorInfo can help you with bank account verification and avoid email as a method of sensitive information transfer.