What appears as a routine, everyday task can quickly become a multi-thousand-dollar theft from your company in the blink of an eye. Take Jane, an accounting specialist, who received an email that appeared to be from the company CFO asking her to send a $43,000 payment that very same day for an overlooked invoice from a new vendor. The CFO’s email did not contain the copy of invoice, so Jane replied to the email to request it. Given this payment request was for a new vendor, Jane’s first step should have been to complete out-of-band authentication, picking up the phone and contacting the CFO to confirm this was a legitimate invoice.
Unsuspecting, Jane initiated a payment using Automated Clearing House (ACH). Her company had dual controls set up to increase security surrounding origination of payments. Her coworker, Sally, accounting specialist, approved the payment originated by Jane and the payment was sent.
Two days later, the ACH payment was returned to the bank due to incorrect account information at the receiving bank. Jane made corrections to the payment file and initiated payment a second time, and Sally, again, was the second approver of payment and payment was sent.
Two days later, ACH payment was returned again for incorrect account information at the receiving bank. Again, Jane made corrections to the payment file and initiated payment a third time. Sally, again, was the second approver of payment and payment was sent.
During an account reconciliation, the company’s CFO did not recognize the $43,000 ACH payment posted to the account and questioned Jane about the payment. Suddenly, the fraud scheme came to light as the company discovered it had fallen victim to a Business Email Compromise (BEC) fraud. Upon further investigation, it was uncovered the initial email from the CFO was not the CFO’s correct company email address – it had been replicated closely to appear the same as the legitimate one.
The CFO contacted the bank to notify it of the fraudulent payment and to inquire about potentially recovering the funds. A letter of indemnification for fraudulent ACH transaction was sent to the receiving bank to request a freeze on the receiving account and to return any available funds. Unfortunately, there were no funds available. In the end, the company absorbed a loss of $43,000.
BEC continues to be problematic for many companies. In 2019, according to the Association for Financial Professionals (AFP):
- 75% of companies reported they were victims of BEC fraud
- Payment types most frequently impacted include wire transfers and ACH credits
- Accounts payable departments are the most vulnerable (62%), followed by Treasury (17%)
First Business Bank recommends companies and nonprofit organizations maintain strong internal controls to prevent potential fraud. Seemingly mundane, everyday tasks are far too vulnerable to take for granted.
Mitigants to Consider
- Does your company have current, up-to-date controls in place to prevent fraud?
- Is your staff regularly educated about current fraud trends and trained on what to look for?
- Does your company have proper policies in place for providing appropriate verification for payment requests, changes to existing invoices, contacts, or bank deposit information?
- Does your company require out-of-band authentication when a payment request from a new vendor or a change in payment instructions is received?
- Does your company request confirmation for transfer of funds by completing a call-back to an authorized person?