Protecting Your Organization from Invoice Scams and Cyber-fraud

Invoice fraud is nothing new. But fraudsters are clever and internal controls are critical to keep accounts payable a step ahead of criminals.

The high volume of invoices an organization receives can make scrutinizing the legitimacy of every bill seem impractical. When a trusted vendor unexpectedly emails to give you new routing information for their bank, would you check? When the CEO emails with instructions to wire money for a project you know is just getting off the ground, do you methodically comply? How much grace do you give when bills are unpaid past 30 days?   

Even though accounting and banking are highly regulated industries, scores of organizations – big and small – have been duped in the past by unknown cybercriminals as well as trusted colleagues with the latest and greatest trickery. It’s estimated that middle market businesses lose almost $300,000 annually through accounts payable fraud such as these:

Phishing emails. In 2014, Scoular Co, a U.S. grain training and handling firm, was swindled out of more than $17 million through an international email scheme. Hackers accessed the CEO’s email address and gave the controller instructions to pay a company in China (where they were expanding). Everything looked legit – even suggestions for verifying the request – and the money was wired.

Fake company billing schemes. In 2002, a CPA for Kia Motors America embezzled almost a million dollars from her employer. She set up a fictitious business with a name to resemble the U.S. Customs Service along with a bank account, and proceeded to send invoices and receive payments from her employer until being caught in 2006.

Safeguards to protect your organization from accounts payable fraud

Local news stations regularly warn consumers about the latest scams, recommending vigilance. But there’s less chatter about the scammers attempting to trick businesses every day with payment cons. The best way to protect your organization is through dual authentication, advises SkillPath controller, Diana Edgecomb. Edgecomb is a licensed CPA, has a Master of Science in Accounting and has worked as a corporate controller since 2014. She suggests “trust but verify” as standard operating procedure.

Here are some basic suggestions:

• Have internal controls in place so that a second set of eyes periodically reviews the processes of everyone in accounting. When someone takes a vacation, another individual temporarily rotates into that job.
• Always verify banking information changes, preferably with a phone call. Letterhead used to be enough, but now even that is so easily replicated. Regular contact with vendors also helps.
• Wire transfers should involve two people – one that enters the information, another that verifies it. Use special care with international wires because there’s usually little recourse once money goes overseas.
• Use two-way matching so every invoice is matched to the purchase order, to avoid double-paying or paying inflated invoices.
• Stay on top of accounts receivable. Allowing outstanding payments past 30 days means it will take you longer to find out about fraud. A company may think they paid you, and you (or they) won’t know you have been hacked until you make that contact.

Stop fraud in its tracks. Register now for our 1-hour webinar: Fraud Detection & Prevention for Accounts Payable.

Invoice fraud offers a big bang for the buck to cybercriminals. These crooks are counting on an organization’s high invoice volume to hide their attacks. They know you’re busy and they want to trick you into thinking you’re getting an email or invoice from someone you know and wiring money to an authorized bank account. As always, vigilance is more important than ever.