Fraud Protection Best Practices for Leadership
Train all of your employees – not just those with online banking access – to be cautious when clicking on web links or attachments in company emails. Personal emails sent to an employee's company e-mail address, or emails accessed through a public domain email server using a company computer also pose potential threats.
Educate your employees on how to spot fraud scams. Encourage them to verbally confirm any unusual email request for an outgoing wire transfer, even if it appears to be from a company executive.
Strong internal controls are a critical component in preventing fraud. Best practices include:
- Separate duties in the accounts payable and payments disbursement processes to provide multiple checkpoints for identifying unauthorized payments. More than one employee should be involved in the processes of approving payments, generating checks or ACH payments, signing/approving checks and sending payments.
- Implement a two-touch process for approving payments. Each approver should have a strong knowledge of the accounts payable process and the company’s vendor/payments universe. Their knowledge should include what constitutes typical vendor or outgoing payments behavior in order to identify - and escalate – any anomalies.
- Require verbal (phone or in person) confirmation of any internal request for an outgoing payment to a new recipient/vendor, or to a new bank account number of an existing recipient/vendor. Individuals’ personal email accounts can be easily hacked or spoofed, and the fraudster is relying on your employee not questioning or verifying the request. It’s critical that this confirmation be verbal, not by email, because you may in fact be communicating with the fraudster.
- Consult with your end-user services department or IT provider on ways to strengthen your Internet/technology infrastructure to inhibit MITB attacks and other outside threats.
- Ensure that all company computers are running firewall and antivirus software that is updated and checked for security patches regularly. Updates should be run at least weekly, using the software's automatic update feature takes care of this important task.
- Implement a process to immediately remove departing employees’ access to sensitive and password-protected areas and information, especially online banking. A full audit of employee online and sensitive system access should be conducted at least twice per year.