In its fourth quarter report for 2015, Ubiquiti Networks, a technology company serving enterprises and service providers, included one standout line. Beneath the usual profit and loss results, and announcement of new products, the company said:
As disclosed in the Form 8-K filed on August 6, 2015, we lost $39.1 million in connection with a business e-mail compromise (“BEC”) fraud involving employee impersonation.
A report on Pymnts.com, based on the firm’s SEC filing, explained that a member of their own staff in a Hong Kong subsidiary had received an official-looking email that appeared to come from someone in the company’s finance department. As a result of that request, Ubiquiti sent a total of $46.7 million to another company in Hong Kong and to a number of other accounts held overseas. Ubiquiti quickly managed to recover $8.1 million and expected to recoup an additional $6.8 million but the hunt was still on for the remaining $39.1 million.
The company conducted a review of its operations, and found no evidence that its systems or company data had been compromised. However, “the Company, its Audit Committee and advisors have concluded that the Company’s internal control over financial reporting is ineffective due to one or more material weaknesses. The Company has implemented enhanced internal controls over financial reporting since June 5, 2015 and is in the process of implementing additional procedures and controls pursuant to recommendations from the investigation.”
Ubiquiti didn’t explain in its SEC report what steps, if any, the employee had taken to confirm the identity of the fraudsters. It didn’t describe the weaknesses in its internal controls nor the procedures that its investigation had uncovered. Understandably, it also didn’t detail the “additional procedures and controls” it was then implementing.
Few businesses suffer B2B payment frauds on the scale of the theft that hit Ubiquiti. The kind of business email (BEC) scam to which Ubiquiti fell victim takes on average about $6,000. But every company is vulnerable to that fraud—and every company can and must take steps that reduce the chances that they and their clients will become victims.
The nature of the defense structures a business should use will depend on the nature of the attack to which it’s most vulnerable. Against BEC scams, the FBI makes a number of security recommendations:
- Verify any changes in the vendor’s payment location and confirm any requests for the transfer of funds before sending the money.
- Be wary of requests that come from free, web-based e-mail accounts. They’re more susceptible to being hacked than corporate emails, and B2B payments are usually discussed through company email. The FBI even recommends the creation of intrusion detection system rules that flag emails with extensions similar to company email but not exactly the same, such as .co instead of .com.
- Make impersonating your company harder by registering Internet domains that are slightly different from the actual company domain.
- Avoid posting financial and personnel information to social media and company websites. Don’t make it easy for fraudsters to target people with access to lots of funds.
- Make sure that financial security procedures include at least a two-step verification process for wire transfer payments.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
Many of those recommendations could be summed up as “be cautious and use common sense.” When something feels suspicious—when one of those red lights starts flashing—slow down and make sure that all of those doubts are dealt with before a payment is made or a product is delivered.
But BEC fraud should be relatively easy to spot and with the right amount of caution, easy to stop too. Other kinds of fraud are more complex and more demanding. Attempted frauds that focus on B2B account payable payments, especially those that are perpetrated not by email but through payment platforms, require tougher safeguards. Matthew Dragiff, Vice President of Product Management for AvantGard Payment Services, recommends using a single, centralized, accounts payable system for all outgoings. When all payments, whether they’re made by check, ACH, wire, card, or digital are paid through the same platform, the company has more transparency, a common workflow, simplified auditing and compliance, and a reduction in bank connectivity requirements. The system should integrate multiple levels of approval and segregation of duties, allow for stock inventory management and provide payment analysis.
That single system should also incorporate an approval workflow for every payment. One member of staff could be allowed to submit a payment request but the payment cannot be made until another member of staff has reviewed and approved the request. Dragiff notes that some companies already use their bank’s Web portal for multi-level approval but argues that the process is difficult when the company has more than one banking relationship.
A centralized system would also continue the switch away from check payments, reducing the opportunities for employees to steal or alter outgoing checks, take blank company checks or misuse obsolete check stock.
And one payment system would also create accessible and complete payment data. The firm’s accounts staff would be able to see not just past payments and match them to orders, but also look for patterns, such as rounded amounts, payments to apparent shell companies or repeated payments below the approval threshold.
It has also been recommended that a single payment platform be used for all of a company’s accounts payable. This type system will make scams and fraudulent efforts easier to spot.
Citibank offers a different solution. In a paper called “Stop, Thief! Best Practices In Fighting Payment Fraud,” Cheryl Gurtz, Citi’s North American Payments Market Manager, Global Transaction Services, describes briefly the different kinds of check and electronics fraud that can hit corporate payments then lays out a solution.
“Beyond familiarizing yourself with your legal responsibilities and potential liabilities, one of the most powerful and proven effective ways to combat payment fraud is by partnering with a financial institution with the expertise, controls and auditing tools to combat it with you.”
The bank, she says, automatically tests for fraudulent checks, reconciles accounts, secures check stocks and offers check issuance data structuring such as using a secure name font on checks. A Universal Identification Code prevents the divulging of confidential banking information during electronic transfers. ACH Positive Pay flags up ACH transfers that fail to meet selected criteria.
Many systems can and due offer some degree of protection against B2B payment fraud but all methods require the right degree of caution, and no system is perfect. The more complex a payment process system, the more vulnerable it may be to fraud, and ultimately, payment systems are operated by people… and people make mistakes. Consider finding a simple system for your business invoicing and payments.