Protect Your Business Against Spoofing and Phishing Schemes
Are you protecting your business from vendor-related spoofing and phishing schemes?
With everything that is done online nowadays, businesses are more vulnerable to “spoofing” schemes. Business information such as names, recurring invoices and invoice amounts are all the information anyone would need to spoof a vendor. Sending an email that looks like it’s from one of your existing vendors is easy— just one small change to the email address, such as a change in punctuation, and they can submit a request saying, “We have changed our banks; please wire payment to this new account.”
Basic steps for protection
Your business can protect itself by implementing simple validation procedures such as calling the vendor contact for confirmation. Replying by email won’t work, since the email has been altered by the attempted fraudster.
Restricting who can perform vendor changes is a good way to ensure that processes are followed consistently. Your IT group can provide the finance office with a list of personnel who have access to modify vendor information; review that list to ensure it’s restricted to the appropriate people. For processing payments, the primary risk may be segregation of duties, but to minimize phishing and spoofing risks, the primary issue is making sure that people with the ability to change vendor data know the processes for reviewing, performing and validating changes.
In addition to restricting who can process changes, finance managers should regularly review the vendor master file for recent changes. Particularly look for small edits to names (A1 Exterminators vs. A-1 Exterminators), changes to payment instructions and atypical payment increases. If the list of active vendors is long, one risk-based approach to culling it is to include only those have been paid in the fiscal period under review. Ask your IT department to provide the data and, if they have the tools, perform a preliminary analysis so that finance only needs review the outliers. Finally, implement processes to disable old vendors who are no longer utilized.
As employees are both your first defense and your weakest link, IT and accounts payable staff need to be diligent when it comes to spoofing and phishing campaigns. It’s helpful to add an “external” tag for all outside emails, not just so that malicious emails are easier to spot, but also to help flag spoofing quickly. The best practice, if you have the resources, is to send fake phishing emails or make calls to identify which employees might need additional education and security awareness.
The bottom line
There will always be people who try to defraud your business, and those people will continue to find new ways into your checking account. Safeguard your funds by reminding your IT and finance managers to regularly monitor for threats and guard against evolving risks.