Dear company please send me money...

If you have arrived (here), there is a chance that my title request attracted your attention. Naive? Maybe it looks like this, but it is extremely effective (not that I would try :) During training on transaction security for financial departments, I often repeat that the easiest way to steal money is to just ask for it. Of course, the trick is in the way you make the request. One of my favorite stories is one of the first cases of fraud that almost all of us now face.

"Mother of all scams"

It was nice morning of early spring 1995, fax machine in the office of Nelson Sakaguchi - Investment banker at Banco Noroeste, confirmed receipt of new message. Mr Sakaguchi looked at newly printed message. His attention was drawn by the sender - Tafida Williams Director of budget and planning office at Nigerian Ministry of Aviation. Message was an business inquiry connected to new development plans in Nigeria. In 1995 Nigerian government decided to move capitol to newly built city - Abuja. As every capital city it needed new airport. It was the context of message sent to Banco Noroeste, financing of the construction works estimated to 35 M USD. Mr Sakaguchi started research on that subject and found out that it may be actually great investment for his firm as airport for new capital city sounds profitable.

After exchange of a number of faxes (mails were not known that day) Mr Sakaguchi decided that such contract requires meeting in person with representatives of Nigerian government. Meeting was organized in noble hotel in London. Mr Sakaguchi met with Mr Paul Ogwuma, Governor of Bank of Nigeria. Gentlemen agreed on contract details that shall bring fat commission for Banco Noroeste in amount of 10m USD. First tranche of investment was immediately paid to accounts given by Nigerian Government. Till 1998 additional tranches totaling in 191M USD (with outstanding interest even 241M USD) was transferred to Nigerian officials.

The problem was, that Mr Ogwuma was not the one he was taken for. He was actually Emmanuel Nwude former Director of Union Bank in Nigeria - high stake scammer, known for highest single scam (beaten by Qusay Hussein's Natonal Bank of Iraq raid in 2003, and Nick Leeson's fraud leading to collapse of Barrings Bank).

Interesting part in above story is the tool used, fax machine (many of you may not even recall it, but in 1995 it was state of the art communication technology). The story shows that even with such simple tool, good setup, convincing story and right timing is most powerful tool in scam industry.

Although more than 25 years have passed since this event, the scheme of this type of fraud has not been significantly modified. The scheme used (albeit in different variations) is also used today. Technology, actually reducing the cost of communication, has meant that this type of activity also affects private individuals, but companies are still the focus of fraudsters. Companies have incomparable financial resources compared to the statistical individual client. This makes companies "more interesting" targets for scams, especially as the financial processes are dispersed and therefore susceptible to external influences. It is worth noting that the vast majority of successful attacks use social engineering techniques that allow the company's employees to be manipulated so that they can "do off" the criminal and make the transfer in good faith. Who of us (privately or for business) has not received an invoice or a request for payment from a well-known company with an indication of the new account number. When viewed from the side, the whole procedure looks “sewn with thick threads”, but the information about subsequent successful attempts shows the strength of simple solutions.

A fabricated invoice - what next?

The most effective, although the simplest, form is to change the contractor's data in the company's system through the action of a person from "inside". Despite extensive control mechanisms, a dishonest employee may make changes to ERP systems or transaction files. Such changes are extremely difficult to find when authorizing orders (I do not even delude myself that by authoring 100 transactions, we verify the correctness of each account - solutions supporting this exist but are rarely used). Criminals - which happens more often - target employees responsible for managing the database of contractors or invoices. Sending a prepared document, a phone call from a "contractor" or an urgent order from "top management" can be extremely effective.

There are many solutions on the market to counteract these practices. Of course, education is one of the main activities. Training, building awareness brings benefits not only on the corporate ground, but also makes life difficult for thieves who attack us privately. Can we do more - of course! Companies dealing with transaction service are constantly looking for "something else" that will help secure the company's finances (as well as personal ones). Creating bank accounts 'blacklists' within an organization or bank is one of the directions. Identifying in the ERP system or in the bank's system a transaction directed to an account from such a list triggers the process of additional data confirmation.

(awareness) Cloud as solution?

Can you go a step further? In the era of widespread use of distributed registers, an interesting direction seems to be the use of "mass knowledge" dispersed throughout organizations. Simply put, if I can check if someone on the market has already made payments to a given company using a given account, the chances of unknowingly transferring funds decrease. Today's technology makes it possible to verify such information without revealing its content. Companies can use knowledge without disclosing information about contractors. As a result, each payment, at the stage of registration or shipment for execution, can be checked for the correctness of the bank account to which the funds are transferred. The existence "on the market" of a given account related to a given counterparty, the lack of changes in the account data of others and, above all, the execution of transactions "on the market" for a given account, will definitely increase the transaction scoring. This approach is extremely effective in fighting "cuckoo's eggs" in settlements. The "crowd wisdom" element adds a new dimension here. Do such solutions exist? Of course! More details in the next article.