Contributed by: Scott Kerkhof
Phishing and accounts payable scams are on the rise, and emails come in daily that are attempting to take your money. This is the world that we currently live in, and aside from being vigilant, mistakes can still happen.
One example of an unnecessary mistake happened to one of our clients. The internal accounts payable team received an email, which was created to originate from a law firm and then sent to the CEO. This was then forwarded from a convincing but fictitious CEO email account, noting that the payment was approved and that it could be paid immediately. Unfortunately, the accounts payable team processed the payment the same day. The payment was then approved by those with signing authorization and the funds were sent to the fictitious vendor. The funds have not yet been recovered, with no indication that they will be.
Ouch.
There were 3 red flags that should be on your radar that should be considered when these types of emails are received:
Is the email address legitimate? Check to see if the email address (rather than the “sender name”) is correct, as in this case the details showed that it was coming from an external email address and not from the actual CEO. The email signature often also looks slightly different than the normal one the contact normally uses.
Are the payment terms within your regular payment terms and practices? In this case, there was a request for immediate payment when normally bills are received, and then paid by their due date.
Is the invoice from an entity that is a regular or prior vendor to the company? In this case it was from a new vendor that had never been used before.
To further protect yourself in these situations, it is recommended that the following 5 controls be put into place:
Invoice Approval: Invoices received should be forwarded to those with appropriate approval status directly (not via reply) to verify that the invoice is expected, and that the amounts are in line with expectation before they are submitted for payment.
New Vendor Forms: A new vendor form should be created and filled out and reviewed and approved by those with appropriate authority, with the details of the vendor and the specifics of the services or goods they provide.
Payment Approval Review: Once the payment has been submitted for approval, those with signing authority should review the related invoice first to ensure that they know what the expense is for and who it is being paid to, and secondly to ensure that the amounts for payment are correct.
Confirm unusual changes: Call the sender to verify legitimacy of a change in bank account, email address, etc. Search for the business’ phone number online rather than the phone number in the email.
Trust your instincts if something is off: These types of emails often feel the slightest bit strange or confusing. Listen to your inner voice and question it. You will never regret double checking on something that is a legitimate transaction.