Fraudsters Today Part One: Six of the Most Common Fraud Types

It’s no surprise that fraudsters are actively trying to infiltrate networks at an alarming rate. It’s common for fraud and cybersecurity attacks to increase during times of change in an organization and attempt to prey on the people most impacted by those changes. The first part of this series focuses on some of the most common types of fraud we’re seeing affect our clients today, along with tips and tools to help stop fraudsters in their tracks.

 
1. Business Email Compromise (BEC)

A finance director clicked on a link within an email from an unknown travel website, which unknowingly exposed the company’s network to an outside attack. The fraudster was then able to infiltrate the secure company network with malware and gain access to the email account of the victim. Using the victim’s account, the fraudster sent an email to treasury asking for an urgent wire transfer to the fraudster’s account. Since it was a real email address, the employee who received the request had no way of knowing it was fraudulent and processed the fraudulent wire transfer to help the finance director complete this “urgent request.

Prevention Tips

• Training: Ensure your staff is properly trained to recognize the signs of an attack, most notably phishing schemes, and to understand what steps to take.

• Be cautious: Take precautions when posting information online or to social media about senior staff on vacation or away from the office, including the CEO or CFO.

• Verify: Implement a twostep verification process for wire transfer payments, and consider making the approver someone with authority, like a director or a vice president.

Prevention Tools

• Protect: Ensure all software, including antivirus programs, is upto-date on all computers and servers.

• Flag external emails: Make sure that incoming emails received from external addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees.

• Keep inboxes secure: Avoid using free webbased email platforms. They normally have fewer security features and are easier to hack. What’s more, block employee access to personal emails from work devices. 

2. Coronavirus Phishing Scam

A company was in the process of applying for government relief assistance due to the closure of their store resulting from COVID-19 stay-at-home orders. While waiting to hear if the request had been approved, the COO who filed the paperwork received an email that appeared to be from the government office she filed with asking to verify the information she submitted, which included private information about the company and its owners.

This immediately raised a red flag that this was a suspicious request as she knows that the government office only communicates by mail, not by email. She deleted the email and blocked the sender.

Prevention Tips

• Be aware: Watch out for communications attempting to collect detailed information via email, text or websites.

• Do not click: Avoid clicking on links from email senders you do not recognize.

• Red flags: Pay attention to typos and domain name errors.

Prevention Tools

• Use computer security software: Set the software to update automatically to protect against new security threats.

• Set mobile phone software to update automatically: These updates could give you critical protection against security threats.

• Back up your data: Make sure the backups aren’t connected to your network.

3. Electronic Payments Fraud

An accounts payable associate received an email from a customer asking for a reimbursement after overpaying for an item. The associate reviewed the order and verified that the customer did indeed overpay. To keep the customer satisfied, the associate set up a transaction to process a refund for the surplus but failed to wait for the client’s payment to clear in the company account before issuing the refund. Because the transaction was executed with fraudulent information, she processed a refund without ever receiving funds from the client in the first place.

Prevention Tips

• Verify requests for electronic payments: Use a phone number already on file or known to be genuine.

• Ask authentication questions: Ensure that your customer service team asks authentication questions to verify the identity of the caller to avoid serviceassisted payment requests.

• Separate the duties of payment creation and approval: One person enters the payment details and another OK’s the payment’s release.

• Ensure payments match invoice amounts: Do not accept payments above what you are charging.

Prevention Tools

• Monitor payments in realtime: This could help detect suspicious activity, such as ACH alerts.

• Implement 3D secure: Verify the identity of the customer making the payment.

4. Invoice Fraud

An accounts payable manager received an urgent request from a supplier requesting payment on an overdue invoice. Because this was a known supplier, the manager quickly processed the invoice to keep them happy. The manager noticed there was a new account number but could not reach the supplier to verify it until the next day and decided to proceed with the transaction. The next day the AP manager received a call from the supplier stating that their email was compromised and that the invoice and request were fraudulent.

Prevention Tips

• Employ threeway matching: If you can match each invoice to a purchase order and receipt of goods, then you’re much less likely to pay a fraudulent invoice.

• Verbal approvals: For wire transfers that have new or updated banking information, request verbal approval or confirmation from a number and contact you are used to doing business with.

Prevention Tools

• Employ automation: Automation in the AP department gives you the tools you need to more effectively implement the tips above for preventing fraud. It’s probably the single most important step you can take to stop invoice fraud.

5. Check Fraud

An accounts payable employee was in the process of replenishing the check stock when a fraudster, posing as a prospective customer, needed assistance. She placed the stack of checks on her desk and invited the gentleman to sit down. As they were talking, he noticed the stack of blank check stock on the employee’s desk. When the employee stepped away to get what he’d requested, as a distraction, he picked up the blank check stock from the employee’s desk and quickly put it in his bag.

After the fraudster left, the employee didn’t realize the stack of blank check stock was gone. The fraudster was able to write checks against the organization’s accounts.

Prevention Tips

• Training: Employees should be trained on how to look for check security features and identify fraudulent checks.

• Bank statement reconciliation: Be sure to reconcile bank statements and daily transactions to check for irregularities.

• Bank tools: Take advantage of the check services offered by banks to help reduce fraud, such as positive pay.

Prevention Tools

• Positive Pay: Allows the business and bank to work together to detect check fraud by identifying items presented for payment that the organization did not issue.

• Reverse Positive Pay: Similar to Positive Pay except for the company, not the bank, maintains the list of checks issued.

• Payee Positive Pay: Protects your company from payee fraud losses by including the payee name with your check issue information.

6. Telephone Fraud

An individual had just placed an order with an online retailer. The next day, she received a phone call from an unknown number saying there was a problem with her order and to call them back at a certain number. Without hesitation, she dialed the number and inquired about the order. She was asked to verify her personal information including name, address, phone number and card number.

Prevention Tips

• Screen your calls: Don’t answer any calls from unknown numbers—let it go to voicemail.

• Protect your privacy: If you do answer the call, do not confirm your identity if asked; simply hang up or ask who is calling you. Otherwise, do not respond to any questions asked either by a live or recorded voice and do not provide any personal information.

• Don’t select any options to proceed: If you are prompted by a recording to press a button or taken through a list of options, don’t make a selection, simply hang up.

• Verify all numbers: Only dial numbers you are certain are valid, like a website customer contact area.

Prevention Tools

• Register: Make sure your phone number is on the “National Do Not Call” list to help reduce unwanted calls.

• Block numbers: Be sure to block suspicious numbers on your mobile phone.

Eight Common Fraud Tips

1.    Educate yourself about common scams
2.    Monitor against insider threats
3.    Ensure employees are aware of security best practices
4.    Back up data off-site
5.    Restrict administrative rights
6.    Secure against business email compromise
7.    Install and update antivirus software
8.    Talk to your bank about the fraud mitigation services they offer