Columnist Nigel Harra, Senior Partner, BDO Northern Ireland
Keeping pace with payment fraud BDO’s Nigel Harra reflects on how the business community can prevent, detect and respond to fraud.
Without careful review, these emails appear genuine since they mirror the correct supplier company email format and the sender appears to be a bona fide employee. At this stage the email content is aimed at collecting useful information about the organisation’s supplier payment processes, obtaining copies of recent invoices and to build trust with the employee. Once sufficient information has been collected the fraud attempt begins with a request for details of the process to change supplier bank account details. This has proved successful in many cases and is just one way in which fraudsters can cause significant damage.
I
ncreasingly Finance Directors and their Finance teams will have built up considerable knowledge of fraud risks to their business and the key controls that need to be put in place to prevent, detect and respond to fraud. Fraudulent activity is constantly evolving and becoming ever more sophisticated as fraudsters look to exploit weaknesses in payment processes and to encourage individuals within the business to depart from the control framework.
“Finance Directors need to ensure that they keep up to date with current fraud techniques and trends. ”
Payment process control vulnerability Payment processes rely on two principal controls. Firstly, the payee bank account details – and any changes to these subsequently – need to be verified and accurately recorded. Payment approval must then be provided by at least one authorised individual. The primary focus of the payment approval control is to confirm that the transaction is within budget and undertaken on behalf of the business only by those authorised to do so. Those performing this control will expect that the payee details to have already been checked. Fraudsters look to exploit this by inducing changes to be made to the payee (supplier) bank account details without proper verification. Weaknesses in control over supplier bank account details therefore leave a business very exposed.
How should Finance Directors respond? To be able to implement an effective anti-fraud control framework and prevent the fraud techniques outlined above from succeeding, Finance Directors need to ensure that they keep up to date with current fraud techniques and trends. Good sources of information include Action Fraud – the UK’s national fraud reporting centre, UK Finance – the trade association for UK banking and Financial Services and CIFAS – the UK fraud prevention service. Other useful resources are the reports and newsletters on fraud matters that are freely available from accountancy and fraud professionals. Regular reviews of payment process controls are essential. The testing approach to these important reviews needs to be updated each time they are undertaken to ensure current fraud techniques and scenarios are considered. Needless to say, controls over changes to supplier bank account details must be tested in depth and the potential for these being bypassed evaluated carefully. Finally, Finance Directors should look at the training of the Finance teams – the first line of defence against fraud. If it does not do so already, team training should include updates on fraud trends, favoured approaches by fraudsters, including social engineering techniques and key risk points such as summer holidays when more experienced team members may be on leave. In view of their expertise, Finance Directors may consider providing this training themselves, raising awareness of fraud risks and the importance of controls and ensuring that the Finance team remains alert to the potential threats. If you would like to discuss anything in this article, do not hesitate to contact the BDO team.
Current payment fraud techniques Payment fraud investigations undertaken by BDO recently indicate that the vulnerability of payment process controls is being actively targeted by fraudsters. Namely there is widespread use of social engineering techniques to obtain information about the target organisation and its suppliers in an attempt to build trust with the employees who are targeted to be duped. Firstly, research is being undertaken by fraudsters using information readily available on the Internet. Company websites or a simple google search can often provide information about senior management team members, their contact details and email addresses. Social media applications such as LinkedIn enable the members of the Purchasing team and the Finance team for each organisation to be easily identified. Following on from the research, the fraudsters can then send phishing emails to employees of the supplier with a view to obtaining the template of an official email from the organisation. All that is needed is for one employee to respond and the fraudsters have an exact copy of a plausible email template. Using a fake email ID, fraudsters use this to contact the Accounts Payable team of the target company through a series of emails.
18
