4 Steps in detecting a fraudulent email
Your accounts team holds the purse strings of your business. Money flows in and out of your business thanks to this hardworking team. With so much responsibility, a small mistake can mean a high financial and reputation cost to your business.
In the last three months, the accounts team of 2 different clients have paid out fraudulent invoices totalling over $75,000.
In the last year, that figure is well over $150,000; in the previous four years, the total cost associated with payments in fraudulent invoices was close to $500,000.
Sometimes, the staff realised their mistake soon enough and could have the transactions reversed, but this was only sometimes the case.
In one case, lawyers became involved as a dispute arose about who was responsible for the fraudulent payment. Was it the business that was compromised or the business that made the payment? Who won in this case – the lawyers, of course.
The Unseen Cost of paying fraudulent invoices
There’s always an unseen cost to making such payments:
- The stress causes all involved
- The productivity loss as everyone’s attention is diverted to handle the crisis
- The reputation damage to the individuals involved
- The reputation damage to the organisation
The good news is that your organisation can avoid these issues, or at the very least, you can significantly reduce the chances of fraudulent payments. The better news is, it’s so cheap it’s an absolute no-brainer.
1. Check and double-check the sender’s email.
When an email requests a payment or a change of bank details, your staff’s cautiousness levels must immediately dial up to 11. They should assume every email is fraudulent until proven otherwise. They do this by checking the sender’s email address. For example, an email from <Boss Name> [email protected] differs from <Boss Name> [email protected].
2. Confirm changes offline.
Contact the person or company via phone to confirm the changes. If their phone number is in the email itself, ignore it. This phone number could be fraudulent too. Instead, find the contact in your contacts list, on your computer or on your phone.
3. Document and then stick to your process.
Your accounts team needs to have a process for handling changes to payment details or adding new payment details. And this must be followed by all staff – even the CEO! If the CEO requests a bank account detail change for their pay, which is different from the process, their request must be rejected. They need to follow the same procedure as everyone else. There is a little pushback on CEOs when they do this, and hackers know it. This kind of fraud is named after them “CEO Fraud“. We wrote about CEO Fraud back in 2021.
4. Train and test your staff.
Your staff should undergo cybersecurity training to identify fraudulent emails and invoices when they arrive. In addition to training, your team should be tested regularly.
Testing is done by running a simulated phishing attack. First, an email is crafted and sent to your team that is meant to look legitimate but is, in fact, it is a simulated attack. Then, using advanced technology, you can report who opened the email, clicked any links, and provided their login details.
Intuitive IT can provide this service for you. We can automate the entire process. We can run and monitor the campaigns and report which passed and failed. IIT can even automatically enrol them in training if they fail.
We include the Simulated Phishing Attacks in all our plans. Managed Security Awareness is included on our highest Managed IT Support plan and on all of our Managed Security plans. We can provide Managed Security Awareness as an al a-carte option for $6 ex GST per person per month.
$6 a month. As I said – it’s a no-brainer. You receive Peace of mind for what is now the price of coffee in Fitzroy.
Please don’t wait until after you’ve found out a fraudulent invoice has been paid. Action this now and avoid damaging your business…and lawyer fees.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.