Fraudsters are as creative as ever. Recently, I was told a story of fraud that resulted in more than $750,000 being paid to some very resourceful bad guys. You wouldn’t think this scheme could be successful with controls that are in place, but this one had a twist. This case didn’t happen due to the current environment (COVID-19) – it could’ve happened anywhere, at any time, to any organization. This is a story that I believe everyone can benefit from.
A few months back, a supplier’s entire network, including their ERP system, was compromised by hackers. They didn’t hold it for ransom or share salacious emails with the tabloids. What they did was quietly download customer and transaction information, being careful to not raise any flags.
The fraudsters then sent out emails to the supplier’s customers targeting Accounts Payable, asking simple questions about open invoices. They posed as the supplier’s Controller and utilized the company’s email so no one would suspect anything was awry. Accounts Payable received an email that appeared to originate from the supplier’s Controller asking questions such as “I see this invoice is due, have you paid it yet?” “Do you need copies of these invoices?”.
A New Spin on a Known AP Fraud Scheme
Once the fraudster established an ongoing conversation with the Accounts Payable department, they simply asked for the banking information to be changed. Due to repeated email conversations with the same person, a level of trust was formed, and the change was made without hesitation. Keep in mind, processes were in place to avoid this exact type of fraud, but because valid information was flowing, with what was thought to be a legitimate person with the supplier, someone let their guard down.
The result was banking information was changed as directed by the fraudster Controller. Multiple payments were made via ACH – over the course of several months, at a cost of $750,000!! Quite possibly this went unnoticed for as long as it did due to the change that occurred pre-COVID-19, and during the adaptation to the remote working environment.
We all have relationships with our vendors, sometimes exclusively over email, so no one is immune. We must be diligent and follow all established protocols, even if we are sure we are communicating with a trusted source. These internal controls are designed to not only have checks and balances, but to protect against fraud. Circumventing these controls – working around them, leaves the company exposed to huge financial losses.
Vigilance is Required
As our defenses get better, so will the fraudster’s scams. Bad actors look for ways to exploit vulnerabilities in processes. They work very hard to penetrate companies from all angles; they are smart, and they are clever. They create complex schemes to facilitate fraudulent activity. They will run the same scam thousands of times looking for that big payday. Many of the schemes include influencing people to work around internal controls by developing relationships, threatening to put the company on credit hold, and currently in the COVID-19 work environment – capitalizing on the remote worker.
Regular communication with your team and with your peers at other companies (through trade and other associations) will help to reinforce the controls in place and keep everyone mindful of the endless potential for fraud. Share your experiences and learn from others some have learned the hard way. Work with your teams and corporate partners to share experiences and to maintain awareness to potentially fraudulent activities.
Most of all, abide by your established internal controls. Fraudsters succeed when the process is bypassed. While adhering to processes might be inconvenient, or you don’t want to offend someone – you are quite possibly the last line of defense in the fight against fraud.
While this scheme was very complex in its execution, an Accounts Payable Recovery Audit can identify process breakdowns – work arounds – that could be costing your organization millions of dollars.