I received a first email this week from our CEO advising of intention to send a wire that day. Then got a second email an hour later with wire details. Bank of Philippines, wrote John P. Hart Vice Pres – CFO at Nova Pressroom Products, LLC on Proformative.com, a social media and education site for financial and other professionals.
Jim followed up on that request. He wrote, I asked him [the CEO]– in person – why we needed to send $75,400 to an individual in the Philippines! WHAT? he said.
The Issue accounting controls
Sadly, this seems to be a more and more common swindle that the criminal element is using to bamboozle the overworked accounting department.
Finding out who the CEO for many companies is quite easy, and spoofing their email address that is child’s play for these people.
They are just betting on your staff, fellow employees or you to be sloppy. Hey, the CEO is the boss, and if he asks for money to be wired, he knows what he/she is doing, right!
WRONG! So wrong! Dangerously Wrong! Especially from the accounting control perspective.
The Solution – Accounting Controls
Every check that is written, wire that is sent, ACH entered into the banking system needs to be processed by a previously documented set of rules. Rules may vary a bit, but all of them have the same basic tenants:
- Backup documents to clearly and explicitly stipulate what the payment is for (services/products)
- Signatures that attest that the documents have been read and approved
- Standard addresses and bank accounts (if any) that the vendor uses (preferably sent via a secured methodology and counter-signed)
- Mandatory voice verification of e-mail requests for wires that
- Are over a certain threshold (with or without backup documents)
- That contain different banking information
- Are being sent to a new entity
Emerson Galfo the CFO at C-Suite Services added his comments as another way to prevent this situation: “I say whole organization because the “in thing” now is SOCIAL ENGINEERING where hackers can get in or get company info via seemingly innocent emails/links. A staffer may innocently click on one.
Here is an example….A staffer has indicated her company email address in her Facebook page. Now, the format of your company email addresses (ex.ÂFirstname.Surname@companyA.com) is out there. From there, a hacker can broadcast an email to ALL your staff and hoping ONE (that is all they need) can be tricked to clicking on a link.”
Just as we have made rules not to open documents from unknown sources, have installed and up to date virus protection, we must now be vigilant on just assuming every e-mail is real.
Just as the fraud where you get an e-mail from someone who is on vacation, is mugged and left penniless asking that you send money to a Western Union address, you need to sit back and think about the contents of requests that just seem wrong.
Think about it, does the IRS call you saying that you owe money and ask for payment over the phone? No, the IRS would never call you. They send regular US Mail. You can independently verify the letter by calling the IRS directly (if in doubt, do not use the telephone number they provided on the letter).
Today, the term caveat lector should become as popular as caveat emptor. Let the reader beware!