If you have been working in or with accounts payable for very long, you are savvy. You know that crooks look for ways to get some of your organization’s money. It’s not easy to scam you. But what about staff? Do they fully comprehend how fraud is a fact of business life?
Anyone working in accounts payable eventually develops a healthy skepticism. People are trying to scam you. But despite our wariness, we are human, subject to getting tired or hurrying instead of being deliberate. Unfortunately, criminals understand this and aided by technology, are relentless in challenging our ability to remain vigilant.
For example, which technological tools does your team use to communicate? Those systems may send legitimate administrative emails periodically. Occasionally an administrative email might include a call to action. For example, as a security protocol, some systems require quarterly changes to passwords.
Spoofed Legitimacy
Here is where you must be on your guard. If one is in a hurry, extremely busy, or tired as the email comes in near the close of business, it’s not the best time to react to the email’s message. Of course, there are legitimate messages from your IT department and your systems. But criminals are also quite good at spoofing.
Technology makes spoofing very easy for a criminal who attends to detail. Fraud perpetrators can imitate the look of an email from Microsoft, Google or any other system. They can affect the style and tone to induce the recipient to take action, whether to log into a system (thereby giving away their login credentials), open an attachment or click a link that allows malware access to the recipient’s computer.
How Scammers Get You
Of course, some malicious emails are less well-crafted. They include poor grammar and misspelled words. We may smile at the poor attempt, even as we pride ourselves in having spotted it. But poorly done emails can set us up if they encourage the idea that criminals always have poor grammar or cannot spell.
Along comes an email with the correct logo and a brief instructional message. For example, it may say, “The current password for jsmith@yourcompany.com expires tomorrow, Thursday, June 1, 2022, EST. To avoid losing access to your email account, update your password before it expires.” And it helpfully includes the link to enable you to update your password.
It looks reasonable, and it’s not unexpected (or maybe it is). If one is in a hurry, doesn’t want to get locked out of their email tomorrow, and likes to take care of things right away, they click the link. That moment is irreversible. It can and has happened to many.
What You Can Do
To paraphrase the British writer Howard Jacobson, an AP manager or specialist “should never be lulled out of the vigilance native to their profession.” Understand that perpetrators are always looking for a way to compromise you and your staff. Give them due respect. Then, never click a link in an email or take other action, such as making an urgent payment, until you have checked the email’s legitimacy.
Make a habit of checking the “from” address—who really sent the email? Look carefully—beware of a slight misspelling. The “from” name is easily spoofed, but if you hover your cursor on the “from” name, you can see the underlying email address, which might not be what you expect. Similarly, hover your cursor over any URL in the email to see the actual underlying URL. Again, it’s simple to spoof the display URL or link name.
Don’t Trust; Verify
Next, consider the sender and message—are they expected, or are they a surprise? AP gets many surprises, of course, for example, invoices due when you have no PO. Don’t trust; verify.
Train your staff: Do not click a link before doing these simple checks! And make it a habitual practice so that when your team is in a hurry or tired, the habit persists. Remember the perps craft persuasive messages and count on a slip-up. Vigilance and precaution can protect your company’s security and assets and save you headaches.
Talk with IT about security protocols. Institute multi-factor identification wherever possible. And train and remind your staff regularly.
For help with secure information transfer from vendors via VendorInfo, contact us.