Scenario: Your organisation receives a phone call from an entity claiming to be a well-known professional organisation. The person on the phone claims that the membership fees for the CEO are outstanding and if not paid by close of business that day, the membership will be cancelled. As a consequence, the invoice is immediately paid using a company credit card.
Although your organisation does not know it (yet), you have become a victim of a modern day fraud using a false invoice. How did this happen?
The fraudster most likely researched your Company’s CEO on LinkedIn to understand their background and professional memberships. Using tools / applications that are readily available, it is easy to prepare a false invoice using the professional organisations logo and legitimate business details.
This was combined with a telephone call to make the interaction more personal. The person on the phone conveyed legitimate concern that they didn’t want the membership to lapse, particularly for someone so important, and created urgency. It also resulted in normal processes being by-passed. This is commonly referred to as Social Engineering.
What are some common indicators to look out for?
- Phone calls being received chasing payment on overdue invoices and an environment of urgency to pay is created.
- Invoices in round dollar values, where there is no purchase order (PO), or multiple invoices / payments in the same period for a particular organisation.
- Invoiced items / services / goods that no one is aware of, or cannot be located. Invoices where discrepancies exist.
- An increasing number of urgent / emergency payments being performed by your organisation.
How do you prevent this from happening to your organisation?
Preventing fraud can be a daunting task and the reality is that organisations are unlikely to be able to fully mitigate fraud risk. However, the steps outlined below have been proven to help reduce the risk of fraud:
- Tone at the top: Organisational leaders need to set clear direction in relation to increasing fraud risk awareness.
- Policies and procedures: Organisations need to set clear procurement rules so that staff understand the requirements (e.g. use of credit cards, processing of urgent payments).
- Risk register: Business process risks, including fraud risk, should be evaluated on a regular basis.
- Exception Reporting: Regular review over higher risk transactions will support the identification of fraud, allowing Management to take corrective action.
- Training: Fraud awareness training needs to be provided to all staff on a regular basis. This should focus on keeping staff informed of new fraud trends and tactics and how these can be avoided
- Vendor and customer vetting: Undertake checks to ensure vendors / customers are legitimate. Before changes are made to addresses and bank accounts- check the change with the vendor / customer (using details obtained from the master file).
- Strict processes: Management need to ensure that payment controls are strictly adhered to. Any override or bypassing of controls is a key fraud risk.
- Budget to actual analysis: Financial analysis that explores unbudgeted expenditure can help identify fraudulent costs.
The example presented above may seem simple and many people may think that a fraud of around $1,000 is not significant; however, the same strategies employed in this example are being used in increasingly complex scams. These scams have resulted in organisations handing over access to their bank accounts or having imposters access their facilities, resulting in the loss of financial assets and intellectual property.
If you think that your organisation is at risk of fraud, or would like to have a deeper conversation in relation to controls that can be implemented to address fraud risk, contact your Findex adviser.