A recent article in the Wall Street Journal titled ‘Hackers Trick Email Systems into Wiring Them Large Sums’ discusses losses estimated at $1B over the last two years from email hacking schemes. The gist is that thieves get control over email accounts and then direct company employees to pay possibly legitimate invoices to fraudulent bank accounts controlled by cyber thieves. The article goes on to say that these small companies have suffered these losses because they do not have the budget of larger companies for security and investigation.
It’s always frustrating to hear about legitimate businesses that suffer losses as result of a security breach. But, I would assert that poor accounting practices, which are an affordable necessity for businesses of any size, are the primary culprit. Consider the two cases noted:
In the first case, the targeted company received an email purportedly from a vendor to give wire instructions for a shipment that was legitimate. The company then proceeded to wire $100,000 to the “vendor” which was later identified to be cyber thieves hacking into their system.
In the second case, the CFO received an email, purportedly from the CEO, instructing her to wire $169,000 to a company for an investment. In this case, the CFO happened to speak with the CEO prior to sending the wire, which saved the company from a potential loss.
Both of these scenarios could have been avoided completely if they would have had proper accounting practices in place. Let’s take a minute to discuss a couple of simple accounting practices your company could implement to avoid email hacking losses. You can also refer to our checklist, Six Accounting Practices Companies Can Use To Avoid Email Fraud.
Set up bank payment information regarding where and how to pay vendors
At setup, your accounts payable department is dealing directly with the vendor that you want to contract with (so banking information given is provided by the legitimate vendor representative). Make sure you set up the vendor routing and bank account number in your accounting software as well as the legitimate vendor contact information.
When vendors request payment for legitimate purchases, never use wire instructions from an email. Go back to your accounting software and pull the authorized banking instructions you received from the vendor at vendor setup. If you have any questions or concerns about an email request for payment, use the legitimate vendor contact information from your accounting software to contact the vendor and verify the payment request. Again, if the request is legitimate, make payment to the account recorded in your accounting software; never make changes to vendor payment information without verifying it directly with the vendor contact listed in your accounting software.
Never make a payment based upon an email (only) from a higher authority
In the example with the CFO and the CEO, the CFO should have phoned the CEO, or gone to them in person (if proximity permits), regarding the payment and supporting details required before any payment can be made. Unfortunately, executives often believe the rules do not apply at their level, but because the losses can be so much greater at the executive level (due to the higher authority limits), rules should be enforced just as stringently for executives (perhaps more so).
Final Thoughts
Proper procedures govern sending payments of any kind, especially wire payments for which there is limited recourse to get funds back. Implementing proper procedures is a cheap and easy way to safe guard your company from cyber theft. Hiring a certified accountant to review your company’s accounting processes would cost only a few thousand dollars and would have completely prevented both of the above cases. Remember, emails do not send wires. People do.
For additional information on this topic, download the ‘Six Accounting Practices Companies Can Use To Avoid Email Fraud’. And to stay In The Know, connect with us via social media or check out more posts on our blog.