By Danny Thompson
Normal business routines have been disrupted by the COVID-19 outbreak, and much of the workforce has been working from home. Cybercriminals view this as prime time to exploit security vulnerabilities, especially as it relates to accounts payable departments. From local businesses to the largest corporations, companies still need to pay their suppliers if possible. This is especially true for those businesses deemed as providing essential services amid the coronavirus pandemic.
Time and again, payment fraud attempts rise in times of crisis, and they may be more successful when vital employees are out of the office. With the teams in charge of accounts payable controls dispersed and adjusting to new routines, bad actors look for ways to perpetrate scams aimed at diverting payments to fraudulent bank accounts.
Accounts Payable: Be on High Alert
An ongoing threat are business email compromise (BEC) scams. BEC fraudsters target accounts payable departments by hacking or spoofing employee or supplier emails, and requesting a change to the supplier’s bank account. Once the account is changed, the fraudster will receive any payments made to the account. A recent FBI report showed a 107% increase in BEC complaints from 2017 to 2018 in the bureau's Pittsburgh region, with complaints totaling $11.7 million in 2018.
A Pennsylvania real estate firm fell victim to a $580,000 BEC attack in 2017 after a principal’s email account was hacked. The fraudster then emailed another employee from the spoofed account, resulting in a transfer of over half a million dollars to the attackers. This scam illustrates the type of large-scale payment fraud made possible as a result of disrupted accounts payable security controls during the COVID-19 crisis. It reinforces the argument that companies need to dramatically tighten their supplier and customer setup and bank account change controls.
Controls for Avoiding Payment Fraud
Companies have found that fully automated controls greatly reduce the risks associated with payment fraud. This can be especially true during a crisis. On a day-to-day basis, automated controls can be more reliable because they are less vulnerable to sophisticated hacking techniques and simple human error.
To best protect against payment fraud, the critical financial control for accounts payable departments is fully automated bank account ownership validation. Automated validation confirms in real time that the legal name and business entity type on the bank account matches the supplier record in the buying organization’s system.
Other controls such as securing the entry point of bank account change requests through multifactor authentication, activity pattern detection, and IP location blacklists all can help prevent a multimillion-dollar loss.
How Else Can Accounts Payable Run Smoothly During Crises?
Internally, companies should focus on creating secure access to collaborative tools to ensure accounts payable team members can stay in close contact and quickly react to a security incident. Access to communication tools like Skype, Microsoft Teams, Slack, Zoom, and others allow accounts payable teams to maintain communication and productivity, enabling business continuity for their organizations.
Maintaining strong relationships with customers and suppliers is also critical during uncertain times. Regular video check-ins help by giving you visibility into your partners’ working environment and providing a greater sense of camaraderie. Being aware of the challenges your partners are facing will also help the accounts payable department mitigate risks and stay on top of new challenges, such as if prior agreements can’t be fulfilled due to the circumstances.
Another area for accounts payable departments to keep in mind is the financial supply chain; in other words, your supplier’s cash flow. You may consider introducing them to your supply chain financing provider or, if you have funds available, your own early payment programs.
Danny Thompson is senior vice president of market and product strategy for apexanalytix. He can be reached at firstname.lastname@example.org.
Find more coronavirus updates and resources for Pennsylvania CPAs. Also, sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.