Time for accounts payable to raise its game against cyber crime
In the wake of the Optus hack, there are straightforward steps every business should take to guard against online attacks.
In today’s age of online commerce and digital financial networks, companies are struggling to prevent financial fraud. In Australia alone, cyber crime costs businesses over $1 billion every year and rising.
If you’re a CFO or finance director, there are reasons for concern. Today’s cyber criminals are getting smarter by the day. They’re increasingly targeting their efforts at finance officers and their accounts payable team because of their ready access to critical payment processes and information.
Cyber criminals also continually evolve their methods and tactics. They’re using the latest technological tools and they’ve realised humans are the weakest link in security. They are turning to social engineering techniques to trick members of your accounts payable team into assisting in fraud without even knowing it.
This shift in tactics means you can no longer afford to see financial fraud prevention as an IT problem or something that can just be protected against using the best software or firewalls. You and your accounts payable team are now on the frontlines of defence, whether you like it or not.
“I’ve seen so many companies in Australia who say, ‘We’re not compromised, we’re OK, we have a firewall.’ And I say, ‘So you’re monitoring, you’re actually looking for indicators of a compromise?’ And they say, ‘No, but we have antivirus and I’m sure if we get compromised, we’ll start getting alerts from that.’ That’s not how it works.” – Charles Widdis, cyber security expert
But it’s not all doom and gloom. By implementing a comprehensive set of internal accounts payable controls, you can effectively defend against fraud and keep even the most sophisticated fraudsters at bay.
Here’s a guide to getting started.
Create a counter-fraud culture
The companies most successful at preventing fraud have buy-in at the top and an organisation-wide awareness of fraud that’s especially robust in the finance and accounting departments.
There is a recognition within these organisations that while finding fraud can lead to negative attention, failing to prevent, detect or respond to fraud is usually far worse.
There is also an acceptance that the absence of fraud doesn’t mean it isn’t happening, and that fraud cannot always be prevented.
Together, these core understandings have a significant impact. They enable the discovery of fraud to be viewed positively instead of negatively, eliminating the stigma associated with finding fraud and increasing the likelihood that employees will report suspicious incidents.
When building a robust counter-fraud culture, you first need to assess your company’s counter-fraud maturity. The Commonwealth Fraud Prevention Centre has a range of guides to help.
Once you’ve established where you stand, find activities to engage employees and drive change. The Commonwealth Fraud Prevention Centre provides practical example activities to follow.
Social engineering scams
Statistics show cyber criminals frequently impersonate trusted parties to trick employees into creating fraudulent payments. This might be a CFO, chief executive, or vendor in fake or compromised emails to convince employees to send money to bank accounts controlled by the criminals.
But social engineering scams can appear in various forms. A scam could be disguised to look like someone from within your organisation requesting that you click on a link or make banking information changes. They can seem to be an innocent email from a supplier requesting a bank account change or an email from a seemingly credible organisation with a link.
In a case that gained attention in recent years, cyber criminals successfully posed as the CEO and COO of a business. They sent a spoof email, purporting to be from the CEO, requesting a large payment be made by the company’s financial controller.
A second email, claiming to be from the COO, was then sent to the financial controller containing a false email trail approving the CEO’s request for payment. Failing to realise the request was a scam, the business made two payments to the cyber criminal’s overseas bank accounts, totalling approximately US$500,000.
In an even more severe scam the CFO and CEO of FACC, an Austrian supplier of parts to Airbus and Boeing, were targeted. The company lost nearly $87 million to a cyber criminal who tricked an accounting employee into transferring money to a foreign bank account for a fake purchase.
Training your employees to recognise potential scams like these is essential. But, it’s not enough. It is also necessary to develop a robust call-back process that requires employees to authenticate a payment request before sending funds.
Segregate duties
It can be challenging to imagine someone you work with can commit a crime. But often, it’s long-time employees with privileged and trusted access to sensitive duties who are the perpetrators of fraud.
Segregating duties is a simple but effective accounts payable control that can help prevent employees with malicious intent from defrauding your organisation. By segregating duties, no single employee can use their access and control to perpetrate fraud in the ordinary course of their responsibilities.
To be most effective, no employee should control multiple aspects of the accounting process, no matter how long they have been employed. Segregate the following duties:
- custody of assets
- Record-keeping or bookkeeping
- Authorisation
- Reconciliation
Here are a couple of examples:
- An employee who sends payments should not also be responsible for verifying payments.
- An employee responsible for bank reconciliation should not handle unclaimed property reporting or be a signer on a bank account.
- An employee who is a cheque signer should not also authorise an invoice for payment on accounts on which they are also a signer.
Approval authority requirements
The purpose of the approval authority process is to prevent unauthorised, fraudulent purchases and stop employees from mistakenly making a payment to a scammer.
By requiring specific managers’ approval to authorise certain types of transactions, businesses can ensure all outgoing payments have been assessed and approved by the right person in your organisation.
The approver can check everything is in order by two or three-way approval. Two-way approval matches an invoice with a purchase order. Three-way approval goes a step further, comparing an invoice with a purchase order and the received quantities of goods or services.
Password hygiene
As fraud threats have increased, companies have started requiring longer and more complex passwords. But this has had an unexpected impact.
With individuals accessing more and more digital applications, company systems are getting compromised because passwords get written down, stored in vulnerable places, and reused to remember them. According to a recent LastPass poll of 3,250 individuals, 66 per cent said that they mostly or always used the same password everywhere (personal and work).
For this reason, high standards of password hygiene should be mandatory. Every employee should be required to use long, complex and unique passwords for each separate application or system they use. They should also be required to use a reputable password manager that stores encrypted passwords to avoid passwords being written down.
Additionally, and where possible, multifactor authentication should also be implemented for all applications, including email.
Software tools
Using the best spam filters and anti-virus software remains an integral part of any organisation’s fight against cyber crime. But these tools cannot protect from insider scams or social engineering scams like business email compromise, which is the fastest growing type of cyber crime.
It’s critical to build a strong counter-fraud culture, commit to ongoing fraud awareness and social engineering training, and implement proper internal accounts payable policies and procedures.
However, these controls will not be enough to protect you from savvy insider and social engineering scams. After all, they all rely on people who are susceptible to human error.
Gerard Mondaca is community security manager at Eftsure.