December can be a tricky time in the accounting world: Year end is coming to a close, tax deadlines are approaching, and there’s still the idea of implementing workflow improvements before the end of the year. Yet, ironically Christmas and the holiday shopping season is officially among us, and so is a new seasonal batch of payment security threats.
Due to the current business climate, research shows that consumers are planning to shop earlier than ever this year – with a spike in online sales. This time of year means increased sales, new inventory and more customers for businesses, but it can also bring greater risks for theft and payment fraud; which is why we’ve created a gift bag of tools that will help to lock down and secure your payments in time for the holidays.
Read on for some quick tips and best practices you can start following now to help you keep your business safe and secure for a successful holiday season.
Make sure all emails are valid
Quick Tip: Always verify requests – in person or over the phone!
One of the most common ways to steal funds is by tricking someone to transfer money they were not supposed to.
Have you ever received an email from an employee that seems phishy but doesn’t necessarily set off any red flags? An email that comes directly from a CEO or CFO requesting you to pay a vendor, place a deposit, or make a large purchase? Well, that’s called BEC – Business Email Compromise – and it’s one of the most common forms of fraud happening to businesses of all sizes today.
Business email compromises happen when accounting seemingly is instructed to initiate a payment by an executive, except the email is really from a fraudster or hacker. In most cases, the hacker impersonating an employee asks for their bank account information to be changed, but it doesn’t always involve money. Hackers are also interested in other sensitive data such as W-2s and tax forms.
BEC is costing companies billions of dollars every year and it is easy to fall prey to this practice. Unlike phishing emails, these spear phishing emails are typically text only—there are no links to scan or other identifying clues that an email filter can detect. According to the FBI, US businesses lost $1.7 billion from business email compromise in 2019. That’s why it’s important for accounts payable teams to be well trained to spot the signs of spear phishing and have processes in place for confirming requests for financial transactions and wire transfers:
- Always verify payments are authentic – don’t rely on an email or instant message – verify any larger or unusual payments in person or over the phone.
- Check if the domain name is exact and not something that just looks or sounds similar.
- Don’t hit ‘Reply’ – forward the message to be sure you are sending to the right person.
- It is easy to fake (spoof) a sending email address or cell phone number. Don’t automatically assume these are from who they seem to be from.
One of the most frequent red flags is if the email creates a sense of urgency. Scammers can be very patient and watch emails until the right time, an email from the CEO as he’s boarding the plane for a long flight are rarely questioned.
Verify the recipient
Quick Tip: Have controls in place anytime vendor information is added or changed!
So now that you’ve verified the payment is legitimate, you must make sure the destination is as well. There have been many cases where a company thought they were doing a legit payment to a vendor but in reality the payment went to another account number. Why does this happen? Because someone updated the payee information without verifying the authenticity of the new information.
- Establish written process and procedures – make sure the people handling the financial transactions are confirming the destination, whether it be a phone call or in-person confirmation
- Contact the destination directly to confirm email requests
- Tighten your internal controls – mitigate additional risks with a limited number of employees authorized to make these transactions
Lock down your payment systems
Quick Tip: Secure your passwords!
Even if your processes for payments are solid, it might still be possible for an attacker to get access to your systems and send off a payment. It’s important to secure user accounts to banks and accounting systems. This should always involve two factor authentication. Almost all services these days support using an authenticator app. If they don’t, you should not be using them. Secure passwords are a must – or even passphrases – as they are more secure and easier to remember. This panel from XCKD explains it well!
Protect your communication
Quick Tip: Two-factor authentication is a must!
Hackers use as many avenues as possible to target businesses and its data – and two of the key routes into organizations are: mobile devices and emails.
The number of these types of attacks are rising and research suggests cyberattacks have risen by 50% in 2019 compared to the previous year (Cyber Attack Trends: 2019 Mid-Year Report).
Here’s one mobile fraud attack scenario: Someone calls to let you know your account has been hacked. They ask you to read back the authentication code they just sent you so they can verify your identity. Don’t go along with it! Hackers could be calling for a two-factor authentication code they need to log in to your account.
Another favorite technique by scammers is to call a mobile operator and transfer the number. In doing this, you won’t have access to your texts and calls anymore and hackers are able to get access to your two-factor authentication messages. Unfortunately, this is not always prevented. Most mobile operators allow you to freeze the number so it cannot be transferred until unfrozen. Hackers have endless sneaky ways to access your information via phone and it’s important to make sure you have two-factor authentication on both your mobile and your email accounts.
Stay on top of your game
Quick Tip: Always be on the lookout!
Very often there are clues that something nefarious is going on that we can miss in the barrage of messages we all receive every day. Pay attention to account statements, notices of failed logins and text messages you receive when your accounts are accessed. These notifications and warnings may not be default active, but usually they are easy to enable and increase your peace of mind! But be on the lookout for fake notifications with bogus links as well!
This is the time of year when some businesses put off remote and in-person security protocols and payment security issues until next year. As we have seen too often, businesses who do not prioritize payment security during this time, end up being breached. Hackers are getting smarter and faster every year and it becomes easy to let your guard down. However, staying efficient and avoiding small bumps in the road can make the biggest difference in the success of your business. That’s why, making payment security a holiday priority is important and should be part of your holiday business plan. Find out how Checkrun can help secure your business payments today.