White collar & Cyber crime

Good corporate governance and asset protection is something every business needs to be aware of.

I have seen many instances of white collar and cyber crime. The big multinational businesses that I have worked for had strong finance processes and procedures, but still had more than their fair share of threats - and incidents - which has made me very aware of this issue. You don't hear about the majority of cases, but in the right forums, CFOs will tell you what they have been through all too often.

I know of several businesses that this has happened to. Hackers get access to an employees' email, watch the mails for a period, and then intercept and amend the large and unusual payment, redirecting it offshore. I saw one instance, where very few significant payments are ever made, but the one time a payment in excess of $1.5m was to be made - there was a late request from "the CFO" (of course it wasn't) to change the banking details for the payment. Money gone.

But prior to this threat, I saw several internal white collar frauds which were perpetrated by people who amended Accounts Payable banking records to direct payments to unauthorised recipients. In every one of these cases, a request was lodged to change the recipient bank account or to create a new supplier account which was not whom it was purported to be.

No check of the account name

This exploits an issue in the banking system that there is no check of the account name when a deposit is made. We all carefully input the account name, as well as the BSB and account number, when making an electronic payment. But what the banks don't tell you is that the account name is never actually matched. If the BSB and account number are genuine, then the bank will transact the money, even if the name is not a match.

In one case I saw, the banks' security team did come back after the event and notify the company that there was a discrepancy, but that didn't stop them making the payment in the first instance. By which time, the money was gone.

Check any request to change banking details

SO what the multinational companies that I have worked for have always done, is to make it extremely difficult for an employee to request a change in supplier bank details. They will typically require a letter, on letterhead, signed by a Director of the recipient, confirming the change.

This makes sense - how often do you think a company changes it's bank account? Not often. And certainly not likely immediately before a major payment is due to be made.

The theft I mentioned above involved an accounting staff member receiving an email from her CFO with a copy of an email from the supplier, explaining that "due to an audit of their bank account" they were requesting that a payment of $1.6m be made to another account - at another bank.

There were so many things wrong with this request, it is difficult to know where to start. But it did work - the banking details were immediately changed by the junior (the CFOs email had been hacked) and then the payment made that day, duly processed.

1. Even if the bank account was being audited, they would of course be able to receive funds into the account. Why did this not ring an alarm bell?

2. Why would the supplier have an account at another bank?? Companies will almost always only have one banking relationship.

3. Why would the CFO be approving a change of account details based on some sketchy email? His language was also not fluent in the email, a further tip that it was not him actually sending the message.

This scam was made easier because both the CFO and the junior were working from home - so never got a chance to discuss it face to face, in the office. And the CFO was the one person in the organisation who had not implemented two-factor authentication of their email...

Use of Clearing Accounts

In another example I saw, an AR person was defalcating funds from customer payments, again by telling customers that there was a new company bank account in use. He was covering this defalcation by redirecting funds from a "Clearing account" in the AR cycle. Clearing Accounts are definitely not kosher and if you have an accounting team that uses one in any of your accounting processes, you can consider it a sub-optimal process. It is a slush fund in which all the transactions that are too difficult to resolve in the first instance, are put into a holding pattern. A too hard basket, if you like. They can quickly become aged and ripe for defalcation by anyone with access.

Segregation of Duties

One of the key elements of internal control is to ensure that there is proper segregation of duties - between those with custody of assets, the record keeping of those assets, and the authorisation of amendments to those assets. You shouldn't have all 3 of these functions performed by the same person.

But not amending payment details of supplier bank accounts on the basis of an email, is just common sense.