Fight Phishing Fraud with Accounting Controls

Say that fast ten times... We've all heard the story about a friend who owns a company sending thousands of dollars to a hacker unknowingly because they thought it was legit.

A request appears like it came from someone you trust, and you want to act on it because it doesn't seem unusual. Afterall, people do change banks, require wire transfers to be made, ask to purchase gifts for team members, etc.

This is Social Engineering. Often, it's done by way of Phishing attack by email, text and even sometimes a phone call. Sometimes it can be done when your inbox has been hacked because you didn't have Multi-factor Authentication (MFA) set up.

Our ability to manufacture fraud now exceeds our ability to detect it. - Al Pacino

What can you put in place to prevent this?

When technology isn't enough and you've been tricked into thinking a request is legitimate, there is another thing you can proactively put in place to help save the day.

Your First Defense: "Security Aware" Team members. Implement a Security Awareness training program in your company. Your people will learn to know what to look for to check if something is off.

Your Second Defense: Communication. Use an app like Microsoft Teams or Slack for ALL internal communication. If this becomes standard, you will immediately question an email request from a team member asking for something related to money as being odd.

If you are suspicious about something this also makes it easier to check in with that person in a secure manner. If the teammate's behaviour continues to feel odd on Teams make sure you verify in person - their account could still be compromised. But if you have MFA setup, you can be more confident.

Your Last Defense: Accounting Controls

These can help prevent against several types of attacks that involve social engineering and compromised accounts. These used to be a lot easier when it was just paper.

1. Vendor Requests to change Banking Information: An email is sent by an attacker posing as a company vendor with new bank information that will then be used to wrongly send invoice payments.
2. Employee Requests to change Payroll details: An email is sent by an attacker posing as an employee with advice about new bank information that will then be used to wrongly deposit payroll.
3. CEO Email Impersonation: An attacker impersonates an executive (of which, most are easy to find on your company website or LinkedIn) and requests the urgent transfer of funds related to confidential matters.
4. Similar Domain Name: An attacker purchases a domain name that resembles your legitimate one. For example, your domain is companyabcinc.com - a hacker could register companyabclnc.com. Notice the "L" instead of an "I"? Tricky eh? Even your Security Aware employees wouldn't catch it.
5. Email Compromise: An attacker sends an email after hacking into an account requesting that employees transfer funds related to a fake invoice.
6. Wire Transfer Approvals: related to the above, a wire transfer is requested once a hacker has successfully impersonated an executive or compromised an email account.

So, what Accounting Controls do you need?

You can implement several controls to help prevent against fraud if it slips through the cracks. You can base these on your own business and set amount thresholds in systems.

When it comes to cash management, you want to ensure that you have strong preventative controls. Preventative controls are designed to prevent errors, inaccuracy, or fraud before it happens. In contrast to detective controls, which are intended to alert the existence of errors, inaccuracies, or fraud that has already happened. - Quan Ly of McRally LLP

Tools like Microsoft Forms can make these easy to setup and automate approval if your Line of Business application, Accounting software or ERP system doesn't have the ability to.

• Authorization verification—validate that users are authorized to request changes to bank or other payment information; methods for this can include confirming an email request by phone, calling the employee or authorized vendor representative (that you have recorded already), or requesting physical verification through a void check. Set a system up to record who is authorized and track each change requested.
• Management approval of changes—a supervisor or manager reviews all changes to the vendor or employee payroll data in your system. Even if an employee or vendor logs in to your system and makes a change, you want to verify it because their account could be compromised.
• Change confirmation—a confirmation message is sent to a vendor or employee when a change to bank information is made.
• Two-person approvals—many banking systems support 2+ person approval workflows for vendor account changes, transfers, and wires. Make sure your banking system does and implement them. Also make sure you have a backup workflow in case someone is on vacation.
• Use the Phone—an easy to implement control for small businesses is to require changes to banking or payroll, requests for payment, changes to contracts or any other financial related matters be done over the phone. Phone conversations are best done by someone in the company who is familiar with the contact person.

Do you have Accounting Controls in place?

If so, excellent. If you don't know, please find out.

Please share this so we can all keep one another safe and secure as we adapt to working remotely for a little while.

Stay safe out there!