DP World Australia has been hacked, potentially in a ransomware attack. Here’s what we know and why finance leaders should be alert.
Payment Security 101
Learn about payment fraud and how to prevent it
Malicious insiders have privileged access to systems and knowledge. This makes insider threats notoriously difficult to identify and prevent. In this blog we explore how insider threats occur and what measures you can take to stop them.
Hisense, the Chinese multinational white goods and electronics manufacturer, is currently embroiled in a $3.37 million fraud scandal.
According to leaked internal documents, large loopholes existed in the internal controls of the Australian arm of Hisense. It is alleged a former employee was able to exploit these loopholes over a six-year period.
According to reports, the former employee used their privileged access to the company’s CRM systems to create fake consumer complaints. It is believed the employee tampered with customer records in the CRM systems to record fake communications with disgruntled customers, before issuing fictitious compensation amounts in response to the complaints.
It is claimed that during the course of the six-year scam, the former employee opened more than thirty bank accounts to receive the fictious compensation payments. Reports state the scam was executed in excess of 1,200 times, netting the staff member over $3.37 million.
The former employee denies the allegations.
Internal fraud can be notoriously difficult to identify and stop.
One of the key lessons Hisense Australia has apparently learned is that staff need to be rotated between roles from time to time.
Whilst there are many benefits to keeping the same person in the same job for an extended period of time, it also carries significant risks. Organisations benefit from an employee spending a protracted period of time getting to know one role expertly. However, it also means the employee understands intimately where loopholes exist within your internal controls.
Keeping staff members in the same role over a protracted period of time can be a particular problem in Accounts Payable. An employee who stays in the same role for many years gets to know the primary contacts at your suppliers very well. This is great whenever a dispute needs resolving, or a special favour is needed from the supplier. However, this closeness can come back to harm you if your employee gets too friendly with an employee at a supplier organisation. There is a risk the two of them get close enough and decide to help themselves to money that doesn’t belong to them. They may collude to defraud your organisation by issuing and processing fake invoices.
That’s why you should always rotate staff through different jobs on a regular basis when possible.
When staff know they are being rotated through different roles on a regular basis, they may be less inclined to engage in fraudulent tactics. Knowing that someone else will take over the role in the near future, they would be wary that their nefarious acts may be uncovered.
One of the major benefits of regular rotations is that you will end up with a well-trained staff that can fill in for one another in case of unexpected emergencies or absences. Whilst you may get some resistance implementing a regular rotation policy at first, it is definitely a policy worth pursuing. Make sure you get buy-in from senior management. If they question the wisdom of this approach, get your firm’s auditors to recommend it to senior management.
If rotating staff every few months proves too disruptive, try doing it every year or two. Also, take advantage of someone leaving to move people around. Disguising it as a promotion can alleviate disgruntled staff.
Perhaps no measure is as effective as segregation of duties when it comes to preventing internal fraud.
The Hisense Australia case illustrates this. One employee had authorisation to both create fake customer complaints in the CRM system, and then approve compensation payments in response to those fake complaints.
Many CFOs and Accounts Payable Managers are well-versed in the importance of segregation of duties. But, whilst segregation of duties may exist within the Accounts Payable team, your organisation may still be at risk of internal fraud if other departments within your organisation have not embraced this approach.
After all, it is not the task of Accounts Payable staff to check whether customer complaints in the CRM system are legitimate before processing a compensation payment. In the Hisense Australia case, it was the responsibility of the customer service department to ensure they had their own internal departmental controls in place.
Despite this, CFOs have an important role to play in driving awareness of the importance of segregation of duties in other departments. Furthermore, Accounts Payable teams play a critical role in identifying suspicious outgoing payments, particularly when multiple sums are being remitted to the same bank account, or in cases where the same staff member is requesting multiple outgoing payments.
With eftsure integrated into your Accounts Payable processes, all your outgoing payments will be cross-checked against our database comprising over 2 million Australian organisations.
When processing an EFT payment, any discrepancy between the Account Name and the BSB or Account Number will be flagged with a Red Thumb. In many instances of internal fraud, the malicious insider will list a fictious Account Name alongside a genuine BSB and Account Number. In these circumstances, eftsure provides you with an invaluable heads-up – allowing you to further investigate the matter before issuing a payment.
For a full demonstration of eftsure’s ability to protect your organisation from internal fraud, contact us today.
With cybercrime on the rise, it’s critical to know what finance leaders are (and aren’t) doing to protect their organisations from digital …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.