Changing supplier details – don’t be scammed

We’ve seen a spike in the number of scams and frauds occurring via changing supplier/creditor banking details in business’ accounting software.

Scams and fraudulent behaviour can happen internally and externally. We’ve broken down the simple ways it can happen before your eyes.

Internally

• Bookkeepers change the supplier’s bank details to their own. Legitimate invoices are paid but the supplier never receives payment.
• Bookkeepers create a bogus supplier that mirrors a legitimate existing one, and bogus invoices, or copy invoices already paid. Payment is then processed to what seems like a legitimate supplier but funds go to the bookkeeper.

Externally

• Scammers do their research by reading your online materials such as strategic plans, budgets or website news. They then portray themselves as a regular supplier to you, in most cases one you already are doing business with.
• They request you to change the banking details to which you pay their invoices, generally via email, using a fake but believable email address (i.e. CEO@believablename.com.au).
• Sometimes it stops there, and the next time you pay a legitimate invoice it’s to the ‘new bank account’ and whoosh – the money is untraceable thereafter, never to be returned.

Sometimes they apply an extra layer…

• A sham request for a new invoice to be paid is issued to you, or a phone call saying you haven’t paid your last bill.
• You or your administration staff say “okay, send through the invoice”.
• Their mock invoice is sent with the ‘new bank account’ details. Your ‘supplier’s’ details are updated, and the invoice is set to be processed in the next payment run.
• If there aren’t the appropriate checks of the legitimacy of each invoice being paid, it might just slip through, or even more devious, they may even portray themselves as your CEO and make an email request from your hacked CEO’s account to URGENTLY PAY THIS BILL. Your staff enter the supplier details and away they go.

Prevention

• Promote awareness
• Be hyper-vigilant around requests to change suppliers’ details, particularly bank account details. Call the requester back to confirm. Speak to who you normally speak to. Never accept an online request to change supplier details.
• If your accounting software allows it, produce a ‘Supplier Masterfile Changes Report’ with each payment run. This list changes the supplier details that have been made. Check the legitimacy of each change.
• Build some rules/policies/procedures around changing supplier details in your accounting software (i.e. each request must be supported by legitimate evidence and phone verification).
• Make sure a review of the invoices to be paid is done by appropriate staff (outside of accounts payable). Make sure the reviewer knows what the payments are for and why they are being paid.
• Segregation of duties – accounts payable staff shouldn’t have sole ability to set up a supplier, process an invoice and then make a payment. Dual payment authorisation at a minimum should be in place.
• Have an internal auditor look at your accounts payable function to highlight control weaknesses.
• Be insured – request a quote from your local broker for cyber-crime and fraud insurance. It is surprisingly inexpensive.

Detection

• Check the amounts being paid to suppliers – does it match your expectations?
• Check your financials against budget/expectations (if you’re over budgeted expenditure without explanation, there may be a fraud).
• Has there been a sudden improved change in lifestyle of your administration employees/bookkeeper (BMW’s in the parking lot?).
• Make your employees take regular holidays where their role is performed by another employee.

Have a general awareness over what the normal activities of your finance team are and know their well-being. Do they have gambling issues or financial stress? Are they disgruntled? Are they behaving unusually? Do they have a suspected addiction? Is someone in their family ill and need funds to support their rehabilitation?

Please don’t be a victim. If you have any queries around this, please call Brad Ead – AFS’s Head of Internal Audit and Outsourced Finance Manager Resources on 03 5443 0344 or email at b.ead@afsbendigo.com.au