Separate names with a comma.
For all the talk of cybercrime and fraud, actual instances and attacks seem relatively few and far between.
In fact, you may be wondering what all the fuss is about. The truth is, financial fraud is much more common than many believe – and very easy to pull off. Businesses in the UK are falling victim to hack-attacks, data theft and invoice fraud every day.
However, not enough is being done to make business decision-makers aware of the real risk of cyber-crime and business fraud in general. There is very little knowledge sharing - which perpetuates ignorance and a false sense of security. This situation only serves to aid the fraudsters: if you’re not expecting them, chances are you won’t spot them until it’s too late.
The media recently revealed that Uber suffered a massive data breach in 2016 – and concealed it. The hack affected 57 million customers and drivers, and yet the company said nothing. The reason for this is simple: when a security breach happens, a business doesn’t want to make the information public in case it damages its reputation and customer or supplier relationships.
It’s an understandable reaction. In 2015, TalkTalk lost 95,000 customers and watched its profits halve as a direct result of a cyber attack. No business wants customer confidence to drop but should such an event occur, a lack of communication is incredibly short-sighted. When individual companies fail to share information related to security breaches, the wider business eco-system remains shockingly unaware and unprepared.
Financial institutions and governments frequently publish information on the risks of fraud. ActionFraud, for example, is a government-led centre for reporting instances of national fraud and cybercrime in the UK. It’s a good initiative, but much more could be done to promote it to businesses.
Perpetrating fraud is particularly easy when it comes to purchase order (PO) and invoice approval processes. We’re aware of quite a few companies who have fallen victim in this area. A supplier, for example, simply sends in two invoices for the same PO a couple of weeks apart – but with different invoice numbers. Rarely, will the person approving payments remember processing the first invoice, so both get paid. If the double payment is noticed, the supplier can just apologise for the ‘error’.
Another common example is when a fraudster sends an email to a company pretending to be one of its suppliers. The email notifies the accounts payable team of a change to the supplier’s bank details. If not caught immediately, the perpetrator will receive all payments due to that supplier until credit control discovers the fraud.
In addition to a lack of general awareness, companies often choose to ignore these potential threats. Many don’t have the budget to overhaul their security infrastructures and are reluctant to put pressure on their cashflow. Unfortunately, this mindset only shifts once their security has been breached and they’ve lost money.
Implementing more rigorous security measures can be effective, but typically increases a company’s administrative workload. Round the clock vigilance is crucial and when managed manually, this is also vulnerable to human error. Manual processes are also only successful at deterring risk if they are proactive and block threats before they happen.
One solution involves the use of purchase automation applications. These are specifically designed to automate manual administration and in doing so, stop the most common instances of supplier fraud. This naturally takes some resources to set-up and run, but it does remove the opportunity for human error – and reduce the administrative burden. What’s more, the overall expense will be far less in the long-run than the cost of paying false invoices for months.
It also pays to implement an authorisation process that verifies any supplier request to update payment information or the like. Whether manual or automated, it’s absolutely critical that all new suppliers are validated before signing on.
To reduce the real risk of supplier fraud, and business fraud in general, the responsibility needs to be shared. Finance teams must advise their company leaders, as well as their clients, on best practices and financial institutions and public bodies need to invest more in business owner education.
Most importantly, businesses that are victims of fraud and hack attacks must speak up and share their experiences. By sharing real-world stories and relevant information, other companies are more likely to appreciate the risk, learn, and improve their security measures.
This article was written by Neil Robertson and originally published on AccountingWEB.
Thanks for sharing. Great info, it's really important to be prepared.