Uh-oh, think you clicked a suspicious link?! Here’s what to do
Phishing attacks that contain suspicious links can pop up at any time, whether you’re at work, on your personal email account, or …
Call back procedures are among the most important measures to mitigate your organisation’s exposure to the risk of fraud. Unfortunately, call-back controls can also be a drain on your Accounts Payable (AP) team’s limited resources. Despite the fact that call-backs are time-consuming, the risk of irretrievably transferring funds to a fraudster make call-backs an indispensable security procedure.
In this blog, we will examine why call-back controls are essential, when your AP team should be conducting call backs and the best-practice procedures they should follow.
Call backs are an essential security control that help Accounts Payable (AP) departments ensure they are paying invoices to the correct payee. Both fraud and error can occur within an AP team, resulting in incorrect bank account details being entered into an ERP system, Vendor Master File or in the text-based ABA files that are used to upload bulk payments to online banking portals. Prior to processing EFT payments to suppliers, it is necessary to conduct a call back to verify that the banking details in your systems are accurate. Call back controls help prevent these kinds of problems by verifying whether your information in external sources like banks is accurate before allowing transactions to go through.
Call back verification processes are a way for your organisation to verify that the bank account details provided by a supplier are accurate.
Nowadays, most suppliers are paid by Electronic Funds Transfer (EFT) payments. Whilst this can be a very efficient way to pay your invoices, EFT payments carry some significant risks. Chiefly, banks do not match the Account Name with either the BSB or Account Number when you process an EFT payment.
Imagine you need to make a payment to a supplier called XYZ Pty Ltd. Their Account Name for their bank account is predicably XYZ Pty Ltd. No surprises there. However, how can you be certain that the BSB and Account Number in your records are correct?
Many AP teams assume that if the Account Name does not match with either the BSB or Account Number, the payment won’t go through. This assumption is not correct.
When processing an EFT payment, the Account Name field is just a comment field. Irrespective of what is written in the Account Name field, the funds will be sent to the BSB/Account Number entered.
If an incorrect BSB/Account Number is entered, whether due to error or fraud, the funds will be sent to the wrong recipient. The chances of you recovering those funds is very low.
That’s why you need to make sure you are using accurate bank account details when processing EFT payments. That’s where call back verification procedures come in.
Call back procedures are a way to verify with your suppliers that the bank details you will use to send them EFT payments are accurate.
Typically, when your AP team is onboarding suppliers into your ERP or Vendor Master File, the supplier will provide you with the banking details you need to use to remit payments for goods supplied or services rendered. These are usually provided via email or contained in an invoice.
The problem with this is that sophisticated hackers may breach a supplier’s email account. This can pave the way for them to manipulate the BSB and Account Number. When your AP team makes an EFT payment, the funds end up being sent to a bank account controlled by the fraudster.
This type of scam is known as Vendor Email Compromise (VEC), and instances of VEC attacks are on the rise. That’s why it is essential to conduct call back verification procedures whenever you are onboarding a new supplier into your ERP system of Vendor Master File.
Apart from conducting call backs when you onboard a new supplier, you should also conduct call backs any time an existing supplier requests that you change or update their banking details in your records.
Organisations change bank account details for a variety of reasons. Sometimes, a supplier will change banks, and their old account will be closed. Sometimes the company will change its legal structure, necessitating a new bank account. Occasionally, the supplier may have experienced a fraud resulting in them changing bank accounts.
All AP teams will need a process to handle suppliers changing or updating their bank account details. Just as when you onboard a new supplier, there are risks associated with updating an existing supplier in your ERP or Vendor Master File. Whenever a supplier emails you requesting a change to their banking details, it is essential that your AP team conduct a call back verification.
Another concern for AP teams is the rise of the Business Email Compromise (BEC) attack. This is when a hacker gains access to the email account of a senior representative of your organisation, typically the CEO or CFO. In these types of attacks, the fraudster impersonates the CEO or CFO by sending an email from their email account to your AP team, requesting a payment be made, usually in a hurry.
Such requests should never be complied with unless a call back verification has been undertaken. All too often AP teams will unquestioningly comply with such requests, as they supposedly come from a senior leader within your organisation. However, this would be a mistake. Having clearly defined call back policies in place will reduce your exposure to BEC attacks.
So, in short, any time you onboard a new supplier, update an existing supplier, or receive any payment request, your AP team should conduct a call back verification.
The most important rule when implementing call back procedures in your organisation is to NEVER blindly trust the information contained in an email, whether in the body of the email itself, or within an invoice attached to an email.
Email is simply too vulnerable to hackers to be trusted.
Call back controls are all about verifying the accuracy of information that you have received via email. By calling the individual and verifying that the payment details are correct, your AP team is plugging the verification gap that exists as a result of the banks not matching the Account Name to the BSB or Account Number.
However, just as bank account details can be manipulated in emails, so too can contact details. That’s why one of the most important security measures requires your AP team to independently source the telephone numbers they use when conducting call backs.
Fraudsters are increasingly sophisticated and will design fake invoices to look identical to the real deal. The same is true of email signatures. However, they are known to enter their own telephone numbers. When unsuspecting AP staff call the telephone number in the email to verify the payment details, they are in fact speaking with the fraudster, rather than with the legitimate payee.
So, the most important thing to remember when conducting call backs is to independently source the contact telephone number from the supplier’s official website. Your AP team should never click on any links to the website from an email or invoice. They should open a new browser and manually type in the payee’s website. They should then call the organisation’s switchboard using the official telephone number listed on the website and ask to be put through to the relevant individual in the Accounts Receivable team.
If you receive a call from a supplier asking you to update their bank account details, you should advise the caller that you will return their call. Once again, go to the organisation’s official website, call their switchboard using the telephone number listed on the website, and ask to be put through to the relevant individual. Fraudsters regularly try to deceive AP teams by calling them.
Whilst many organisations have implemented call back controls, they rarely conduct them according to industry best-practices.
All too often, AP teams cut corners when it comes to undertaking call backs because they are time-consuming and manual. For any busy AP team, conducting call backs eats up their valuable time that they should be dedicating to other pressing priorities.
Some of the challenges associated with AP teams conducting call backs include:
AP teams must never trust the telephone details contained in emails or invoices. Your AP team should always independently source a payee’s telephone number from their organisation’s official website.
Fraudsters are known to place calls to AP teams in an attempt to deceive them into transferring funds to a bank account under their control. It is essential that AP teams never blindly trust information they receive from inbound calls or voice messages.
AP teams must ensure they are asking the right questions when verifying banking details. Some organisations require a supplier that is seeking to update their banking details to not only confirm their new account information, but also the old bank account details and details of previous EFT payments. This helps ensure that your AP
Phishing attacks that contain suspicious links can pop up at any time, whether you’re at work, on your personal email account, or …
In a world increasingly dependent on digital platforms, you may wonder how likely it is that you’ll fall victim to a scam.
Accounting problems are issues that create a material financial statement error, hide fraud due to poor internal controls, stray from Generally Accepted …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.