Whenever there’s a crisis, such as the coronavirus pandemic, you can be sure scammers and fraudsters will crawl out of the woodwork.
We’ve all learned to query emails and texts purporting to be from HMRC in the past decade but the same now goes for coronavirus-related communications.
Whether it’s in the form of virus-laden emails promising government grants or phishing for bank details in text messages designed to look as if they’ve come from the Government track-and-trace programme, unscrupulous types seem to revel in chaos and confusion.
At JCS, we’re advocates of strong systems and processes at the best of times. At a moment like this, though, they really come into their own.
If you haven’t done so recently, we strongly recommend that you carry out a comprehensive review of the security of your systems and test your processes to make sure they’re fraud-proof.
Train your staff
The greatest weakness in any organisation is also the first line of defence: human beings.
In recent years there’s been an uptick in scams based on ‘social engineering’, designed to exploit the credulity and kindness of people who want to be helpful.
For example, some scammers will send emails to everyone in an organisation that are designed to look as if they’ve come from the finance director or chief executive. They’ll either have some sort of virus or malware attached or, more commonly, a supposedly urgent invoice requiring urgent payment.
Some particularly ingenious and tech-savvy con artists have even begun to use speech synthesis – or ‘deepfakes’ – to fake calls from senior managers. If your CEO phoned you and demanded that you made an immediate bank transfer, would you do it?
Without getting bogged down in scare stories, find a trustworthy source and stay on top of news of financial scams – we tend to cover them in our newsfeed, for example – and make sure you talk to your team about them.
Forewarned is forearmed, as they say.
You should also make sure they know what to do if they’re in any doubt about an invoice: find a verified number for the supplier – not the one on the suspect invoice – and call them directly to check.
Separation of duties
If a scammer does get through your defences, ideally, there should be no way one individual can make a payment or transfer without hitting one or more internal checks.
In accounting, this principle is known as ‘separation of duties’.
Ideally, one person should raise a purchase order, another should sign off the invoice and a third should authorise payment.
When it comes to avoiding scams, that means there are three opportunities for the alarm to be raised. It’s also a key factor in avoiding the most common type of internal fraud by preventing staff members making payments to themselves.
Restrict access to systems
It can be hard to strike the right balance between efficiency and security which is why you’ll still find important passwords scribbled on sticky notes on people’s desks.
Access to your finance systems, from cloud accounting to online banking, should be carefully controlled.
You should regularly review who has access to your systems and remove those who don’t need logins. At the same time, check everyone’s permissions to make sure separation of duties is built in and nobody has free run of the system.
Talk to us for an audit of your organisation’s financial systems to safeguard against scams and fraud.
Dick Haffenden