Be Cautious About Modifying Bank Accounts on Short Notice
By: Christian Spencer, Partner
“An ounce of prevention is worth a pound of cure.” This common expression was introduced by Benjamin Franklin when he penned a short essay on addressing fire safety. The basic premise is that taking the steps to prevent a house fire is far less costly than the ramifications of a house fire, financially and more importantly in terms of life and safety. This phase can be applied to many other life events including health and fitness, car maintenance, and employee training. Committing to an exercise routine and a healthy diet is known to prevent the discomfort and costs of becoming sick. Preventative maintenance on your car mitigates the risk of having your car unexpectedly breakdown at an inopportune time. Frequent and relevant training assists in minimizing your employees from making preventable mistakes. It is this last point that we want to focus on in today’s everchanging and increasingly sophisticated social engineering scams.
We are all familiar with spear phishing attacks where, a fraudster will provide enough information in his email so that it appears to come from the CEO. As a result, the organization will bypass an element of its internal control structure in order to meet the CEO’s request to wire a key vendor a sum of money as quickly as possible. The attacks have now become more sophisticated whereby the fraudster is penetrating the email systems of your vendors and resending you legitimate invoices with requests for expedited payment to a new bank account number. The email appears to come from the vendor but is from the fraudster. In most instances, this is discovered once the legitimate vendor notifies you that they never received payment. By the time this occurs, the fraudster has taken the money from fraudulent bank account which is typically opened using the vendor’s name.
In many cases your crime and cyber insurance policy may cover these types of events; however, it is important to review the details of your insurance policy and specific riders on an annual basis to ensure you have adequate coverage and to note any exceptions to coverage. However, more important than the reactive steps of seeking insurance coverage are the preventative steps of putting in place documented policies and procedures around vendor payments that are openly and frequently discussed within your organization. You can’t prevent your vendors’ information technology system from being hacked but you can be accountable for implementing detective and preventative controls around this risk within your organization.
Protect Your Organization
The following are some steps your organization can take in response to this risk:
- Require, without exception, that any changes in bank accounts from your vendors be verified by phone with your primary contact at the vendor prior to payment of funds.
- Once the new bank account has been verified verbally, the organization should make a small payment ($1) to the account and then once again verify with vendor’s contact that the funds were received.
- Include updates on information technology scams and risks as a standard part of your periodic staff meetings. Have your IT department or vendor participate with examples of the latest methods that fraudsters are using.
- Require all employees to take and pass an annual online training seminar that provides information on how to identify current phishing and other IT schemes. These types of online trainings can be done within 1-2 hours and specialize in making sure that employees understand the mechanisms of spam, phishing, malware, and other social engineering scams so that they can apply this knowledge in their everyday roles at your organization. These programs typically include a series of questions that must be answered correctly in order for the participant to pass the program.
- Consider having “fake” invoices sent to your staff to assess how your training efforts as outlined above are working. Work to get to a zero-error rate in terms of employees falling into the trap of responding to and or attempting to pay the “fake” vendor.
With the vast amount of information available on the internet, social engineering fraud is a serious and evolving threat for organizations of all sizes and industries. Consideration and implementation of the above steps should be part of your overall risk assessment and monitoring of internal controls.