View Expert Insights
September • 14 • 2023
Cyber Risk: Fraudulent Instruction and Accounts Receivable Phishing Scams
Article
Summary
Cybercrime is on the rise. Certain social engineering scams, such as fraudulent instruction requests and accounts receivable phishing attempts, have targeted organizations around the country. These scams may be hard to spot, especially if employees are not trained to recognize them. Learn ways to better protect your organization from cybercrimes.
Cybercrime is on the rise. Certain social engineering scams, such as fraudulent instruction requests and accounts receivable phishing attempts, have targeted organizations around the country.
The fraudulent instruction scam involves a criminal posing as someone else—usually a co-worker, vendor, or client of the organization—who provides deceptive information to induce an employee to transfer funds into a bank account the criminal controls.
Example: A bad actor, posing as an employee, emails an organization’s payroll department advising that she is on vacation and just realized that she forgot to notify the department that she changed bank accounts a few weeks ago. She explains that she needs immediate access to her paycheck and provides new account information to the payroll representative. She asks the representative to route her paycheck to her new account as soon as possible.
The accounts receivable phishing scam usually involves a criminal posing as an employee asking for accounts receivable reports. After receiving the reports, the criminal will contact customers and demand payment using deceptive techniques. Any payment the customer makes is deposited in a criminal-controlled account.
Example: At fiscal year-end, a bad actor posing as the hospital’s chief financial officer emails a hospital accounting clerk and asks for an urgent, emailed copy of a past due accounts receivable report. The “CFO” explains that he is working from home during the holidays and needs this information to complete the organization’s annual report. He instructs the clerk to include email addresses for the contacts on the list.
These scams may be hard to spot, especially if employees are not trained to recognize them. Scam requests typically arrive via email and purport to come from someone the recipient knows. The email address may be “spoofed” or similar, but not identical, to the actual email address of the customer or employee. The email’s tone is often urgent, and it may appear to come from a mobile phone. The imposter may claim to be traveling and available only via email.
Fraudulent instruction and accounts receivable phishing scams can significantly impact an organization’s bottom line. The best way to protect your organization from these cybercrimes is by promoting employee vigilance, heightened security awareness, and well-crafted policies and procedures. Consider the following when reviewing your organization’s cybersecurity policies and procedures:
Copyrighted. No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.
The fraudulent instruction scam involves a criminal posing as someone else—usually a co-worker, vendor, or client of the organization—who provides deceptive information to induce an employee to transfer funds into a bank account the criminal controls.
Example: A bad actor, posing as an employee, emails an organization’s payroll department advising that she is on vacation and just realized that she forgot to notify the department that she changed bank accounts a few weeks ago. She explains that she needs immediate access to her paycheck and provides new account information to the payroll representative. She asks the representative to route her paycheck to her new account as soon as possible.
The accounts receivable phishing scam usually involves a criminal posing as an employee asking for accounts receivable reports. After receiving the reports, the criminal will contact customers and demand payment using deceptive techniques. Any payment the customer makes is deposited in a criminal-controlled account.
Example: At fiscal year-end, a bad actor posing as the hospital’s chief financial officer emails a hospital accounting clerk and asks for an urgent, emailed copy of a past due accounts receivable report. The “CFO” explains that he is working from home during the holidays and needs this information to complete the organization’s annual report. He instructs the clerk to include email addresses for the contacts on the list.
These scams may be hard to spot, especially if employees are not trained to recognize them. Scam requests typically arrive via email and purport to come from someone the recipient knows. The email address may be “spoofed” or similar, but not identical, to the actual email address of the customer or employee. The email’s tone is often urgent, and it may appear to come from a mobile phone. The imposter may claim to be traveling and available only via email.
Risk Recommendations:
Fraudulent instruction and accounts receivable phishing scams can significantly impact an organization’s bottom line. The best way to protect your organization from these cybercrimes is by promoting employee vigilance, heightened security awareness, and well-crafted policies and procedures. Consider the following when reviewing your organization’s cybersecurity policies and procedures:
- Require the use of “out-of-band” authentication to confirm requests. The best way to prevent fraudulent instruction or accounts receivable phishing scams is by out-of-band authentication. This is a method of verifying financial account detail requests via a mode of communication that differs from the initial wire request and via a previous or different contact than was provided in the original communication. Ensure that your policies and procedures require the use of out-of-band authentication to confirm transfer or change requests, especially if they involve a request to send money to a bank account that differs from one used in the past. Examples of out-of-band authentication include:
- An employee receives an urgent email from a vendor requesting a large money transfer. The employee wants to confirm the request’s legitimacy, so he telephones the vendor using the contact information he has on file, not the contact information provided in the email requesting the change.
- An accounting employee receives an email from a co-worker requesting a payment transfer into a new bank account. The employee walks over to the co-worker’s office and asks her to verify that she made the request.
- Require dual authorization of transfer requests. This is an additional layer of security requiring the authorization of two employees before sending the transfer. Develop policies and procedures that outline when to use dual authorization when responding to transfer instructions or other requests.
- Provide security awareness training. Financial resource training should include instruction on how to spot fraudulent instruction requests and accounts receivable phishing attempts. This training should require employees to immediately report any phishing attempts or fraudulent instruction requests.
- Tag external emails. Work with software vendors to clearly identify or “tag” all emails originating from outside the organization. Carefully review all tagged emails prior to responding or opening attachments. Train employees how to report and handle suspicious emails.
- Optimize security software. Work with your IT department to optimize antivirus software and firewalls to protect against cyberattacks. Regularly update software to block new and emerging cyber threats before they cause harm.
- Consult your insurance agent or broker. Work with your insurance agent or broker to ensure adequate cyber liability coverage. Understand your policy coverage terms and provisions and know how to file claims.
Copyrighted. No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.