In May 2019 there was a story about St. Ambrose Catholic Parish, in New Brunswick, OH that was a victim of Business email compromise and sent two payments totaling $1.75M to a cybercriminal.
Business Email Compromise Scam
Hackers infiltrated employee email accounts at the church. It doesn’t say specifically, but it appears emails came from an employee (CEO?) email account and requested that the construction vendors’ banking be changed. This is a classic Business Email Scam (BEC) that trick employees into believing that they are making legitimate changes. Security Awareness training along with authentication techniques, internal controls and best practices are your best defenses against BEC.
Also Beware Even if A Call is Received!
There is something new. What if in the future an employee receives a call from who they think is the CEO, but it’s a fraudster using artificial intelligence to create deepfaked audio? Would you or your team know how to handle it? BBC News has the article. Vice.com has a deepfake of FB Mark Zuckerburg was shared on social networks.
How to Prevent the Same from Happening to Your Company
For vendor banking changes in companies that do not have a vendor self-service portal where the vendor authenticates themselves, I have a separate blog on How to “4 Steps to Protect Your Vendor's Banking from Being Changed by a Cybercriminal: Includes a Critical Step Most Companies Leave Out” that includes authenticating the request, validating before changing, and sending a notification to the vendor.
What Sticks Out from the Story That Could Have Found the Fraud Faster
The fraud did not surface until it after two months, at which time the vendor called the church to inquire about the two missing payments. If the AP department at the church would have reviewed the vendor statements for those two months, the fraud would have been found faster.
Back when I was a controller at a regional office where we had a centralized Accounts Payable (AP) department and our role was only to key in invoices. Those invoices would then post to the master account along with other regional offices and the invoice would be paid. So, we had a manual process, but I still had the team add vendor statement reviews to its monthly checklist. With competing priorities, sometimes it was done, and sometimes it wasn’t, but in today’s fraud reality, I would now make it a priority.
Segment. If you still have a full or partial manual process, you may not be able to review all vendors, but how about vendors that have extended projects and/or that require large payments at specific times? vendors statement would have uncovered the fraud earlier after the first fraudulent
Automate. There are 3rd Party Vendor statement review solutions that can be as simple as uploading the vendor statement or integrating with your Accounting System/ERP to automate the review of the statement. Robotics Process Automation may be able to assist if you receive statements via email.
Yes, I know, hindsight is 20/20, but use these unfortunate incidents as a lesson learned so that it does not happen to your team.
Debra R Richardson
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.