Five Critical Steps to Strengthen Internal Cash Controls to Combat Evolving Fraud
Our investigative teams have seen a recent uptick in fraud attempts and successes based on social engineering. Wire fraud has been on the rise for years and criminals are well aware that targeting affluent individuals and closely held businesses can pay off extremely well and quickly. Although few would admit to being vulnerable to scams, today there are an alarming number of socially engineered schemes being perpetrated successfully. Thieves, schemers and hackers try to obtain information about internal cash controls like wire transfer protocols, travel itineraries, and who’s who within an organization by assuming “legitimate” identities. These are not new cons; however, the tools used to carry out these schemes have changed with technology and the times. Cyber thieves use the most convincing, available and efficient tactics to steal the most money quickly, and with little suspicion.
Fraud on a company, closely held business or even a family office is usually an inside job. However, an inside job doesn’t have to be initiated by an employee often key employees are unwitting participants. Sometimes, the mechanism is as simple as a phone call. An unsuspecting employee may provide names, titles, contact information and internal reporting structure to a legitimate-sounding caller. In other instances, the fraudster may hack into an internal email account and lurk within the company’s network, learning about the organization as well as the roles and protocols for cash movement before craftily assuming an internal identity and initiating a scheme. In many such instances, the employee targeted for information within the organization is not a senior manager and may execute the fraud without further inquiry, believing the directive comes from the C-suite.
In one example, the accounting manager of a closely held business was duped into wiring more than $5 million for what appeared to be a familiar and authorized transaction requested by a superior. In another case, a family office senior executive nearly authorized a transfer of close to $500,000 on behalf of a client as payment for an apparently legitimate and approved purchase. In both cases, wire transfer protocols were known to the perpetrators, and the criminals even knew key travel itineraries of the respective principals. A convincing tactic that a fraudster used in one case was replicating the principal’s actual signature.
In these schemes, the funds are usually transferred to a destination country bank where cooperation from the banks and authorities is limited or nonexistent. This can mean that none of the funds will be recoverable or traceable to the ultimate criminal recipient. Clearly, the best solution is to avoid becoming a victim in the first place. Now is a good time to review your company’s internal controls over monetary assets. Ensure that controls over electronic transfers and other disbursements methods are more than adequate to consider and prevent fraudulent payments. The five key steps below can help prevent unauthorized disbursements:
- Review cash disbursements controls and ensure that electronic transfers and check disbursements above a specified amount require at least two authorizations, with at least one of the authorizations required to be certain named executives when above a specified level. Additionally, implement electronic password-protected or callback verification procedures with the bank for electronic transfers.
- Implement a positive pay banking process whereby the bank is notified in advance of approved disbursements.
- Assess the adequacy of controls over vendor setup and periodically review for changes.
- Assess the adequacy of system security on a regular basis and consider professional cyber threat assessment evaluation to search for malware or other intrusions.
- Ensure adequate and current training is provided to all employees, including the importance of protecting sensitive company and employee information as well as educating employees on the latest fraud schemes so they do not become unwitting participants.
By Gary Arrick , a former Managing Director at Kroll.