How Fraudsters Will Use Your Accountant to Get to You
Updated: Apr 24, 2022
I AM ANGRY.
It is a very busy time of year, and in many ways, I should be doing other things besides writing in my blog. But an incident from this week has prompted me to say something that it is too important to remain silent. Read to the end to get some TIPs on how you can ensure you don't get caught up in one of these scam attempts.
When I was in my corporate role, there were several instances where payments had been interefered with. The result: some other person has taken the company's money and, in all likelihood, will never be found.
The first time this happened in my career (and the story will help to show my age), company cheques was stolen from the mail. The payee names were changed (and I actually still do not know how that can work) and the money taken. Sometimes we would see where the amounts were also changed. Sometimes we would see bad imitations of our own corporate cheques. But the result was the same.
To combat this, we stopped using envelopes with windows and we checked the bank account every day. We used better envelopes with security linings. Not only did we lose the money they took from the account, but we increased our overhead cost to ensure it never happened again.
I actually added a small element to my signature to help me pick out if my signature was being imitated or was "lifted" off an actual cheque I signed. I changed my signature because of fraud attempts. As I was becoming more senior in financial roles, I was being targeted more and more.
Later in my career, as electronic payments became more prevalent, things changed. I would get emails from executives asking me to help them out. Could I send a wire? Could I buy some gift cards? Other times we would get emails from vendors saying "oh my banking info changed" or even from employees with the same story. Often these emails had clues right in them that something was wrong. The most obvious -- would the CEO ever email an AP person for a wire directly? And would they make a spelling mistake in their own name? If you "replied" to the email, you could often see that you were being directed to an account that was not part of the company domain -- or it might look like your domain, but if you looked carefully there was an extra letter that changed the domain ever so slightly.
We taught all of our team members to not answer emails with payment changes or requests to wire. These types of requests are followed up with a phone call (and not the phone number in the email, go back to your own contact list). We taught them that you could trust NOBODY not even your own supervisor. Get up and walk over and ask the "question: did you send me an email about a bank account?".
My heart sank every time someone trusted too much. When you got that phone call that said, "why haven't you paid my invoice"?...and you know you did. Or when an employee called and said "my pay hasn't arrived yet". For these situations to happen, someone believed someone. They extended some trust. And these fraudsters count on the fact that we are busy. We read our emails quickly. And we are usually "rewarded" for prompt reply.
The accounting/finance/bookkeeping world succeeds by becoming trusted partners with our clients. Whether that client is another department in the same company...or an entrepreneur who has trusted you to help manage their financial life....it is built on trust. Unfortunately, the more we trust, the more we are at risk.
This week, I received an email from a client. In this case, I am the accounting and bookkeeping service provider. There is another accountant who does tax preparation. We were both on the same email. The client claimed to be busy (and he is, his business is growing) and asked if we could help him with a wire transfer. I checked...the email address looked valid. Spelling was ok - well one typo, but that happens right? Because I had been so trained not to take these requests by email, I followed my own protocol. I sent a text. I asked a question about the email.
In this case, it looks like the fraudster actually hacked into his email account. Found the contacts (which means our history of emails were probably read) who should be reached out to. Drafted and sent the email. Deleted the email from sent items, and then created a rule for that email so that if we did reply it would move from the inbox to another folder and would show as "READ".
I hate the feeling after you know your privacy was violated. I hate that people in my profession are being used as a tool in this fraudulant activity. It is troubling that a business (my business) that succeeds based on trust has to include an inherent "mistrust" that we are actually speaking to who we think we are speaking to.
I am so glad that my "spidey senses" are in tune with this activity that I did not engage the fraudster, or send money that was never meant to be sent. I am ANGRY that the fraudsters will even target the "solopreneurs" who are less equipped to recover from these types of losses. The large corporations do no deserve this behaviour either -- but at least they have a strong ability to continue business if there is a loss. I shudder at what this type of activity could do to some of my clients.
Things to remember when managing email requests:
If it is not something that has happened before / happens rarely -- DOUBLE CHECK. And do not reply to the email/text/whats app/ DM etc... Use a different way of reaching out and YOU initiate a new stream of conversation. And don't underestimate the value of a phone call. If you do not normally send payments or if that person usually reaches out to your boss -- something is up.
Change passwords -- even if you have the greatest password, you need to change it from time to time. It is a pain...but that is easier to manage than money being taken from you that you cannot afford.
Do not send gift card codes to anyone -- if someone asks you to buy gift cards and then send them the codes. Just do not do it. Again, DOUBLE CHECK that the person who asked you to do it is actually asking you.
Better late than sorry -- there are so few real FINANCE EMERGENCIES. Urgent payments may happen, but if the need to double check the validty of the request slows the payment down, then the recipient should understand. The pressure of time sensitivity lowers our attention to detail. So a HURRY, HURRY style email should make you suspicious. Call someone in that case. Make sure that they understand you are protecting them (and while you are at it make sure that the request is valid).
Do not change payment details without checking -- if the payment details change, call someone. Use a number you have on file -- not the one on the invoice. A letter that says "We are changing our banking info" needs to be validated. Just because it says the letter is from the CFO, doesn't actually mean that it is.
I really wish that the fraudsters used thier creativity for legitimate business ventures. The time and energy to create these schemes could be used for ventures that will change the world in a good and positive way. Instead, they are distrupting the workflow of legitimate entrepreneurs. I hope that this discussion will help you to tighten up your own processes. Do not take the extra steps as a personal sign of mistrust. It is, unfortunately, a necessary measure to protect your business from potential fraudulent activity.