Phishing & Push App Fraud
Phishing & Push App Fraud are growing issues. If hackers gain access to vendor data and client lists, they can e-mail clients fake invoices, supposedly from your company. By the time the unsuspecting client realises, the wrong account may well have been paid and funds would have disappeared.
Turning the tables, when you receive invoices by e-mail or through your phone, unsuspecting employees may approve and wire out funds to the hackers inadvertently, leaving you out of pocket.
The best protection is to prohibit all payments via e-mail and instead move all billing to a secure portal capable of processing invoices.
Our Solution: Key-Based 2-Factor Authentication
- The PIN is never transmitted or stored
- The PIN is entered onto a special keypad so even a keylogger could not detect it
- Should a device be lost or stolen, the login would fail after a few incorrect attempts
Our login is almost hack-proof, which means all invoices inside the portal are real invoices from genuine vendors. Furthermore, based on known fees and pricing, our systems automatically create all supplier and client invoices, leaving nothing to chance and as a further level of control, only authorised senior finance staff, can approve outgoing payments.
All data is encrypted and each client's data is stored in a separate database with its own encryption key.
Mitigating Internal Fraud
- Fake orders used as a pretext for money laundering
- Fake orders and shell accounts used to wire out funds
- Collusion with suppliers to push up pricing or increase final invoices in return for back-handers
- Inventory mismatches vs. orders
Fake Orders & Money Laundering
Each order flow is cross-checked in the system to ensure orders, deliveries, inventory and payment flows match, with alerts for unexpected behaviour. A common trick with Money Laundering is to place orders and pay funds, without any delivery. Instead money is cleaned and returned to the Client, minus a cleaning fee. This does not mean every return is flagged but our algo will look for suspicious behaviour and patterns.
Fake Orders & Employee Fraud
Using a similar approach staff, with system know-how, could set up fake Clients and Orders through shell companies, cancel orders and have refunds wired out, or receive goods to sell on to 3rd parties. To reduce this risk only authorised staff may onboard new clients and we recommend only Client portals may place Orders but this final check is optional. We also recommend separation of front and back office to ensure Sales have no access to wiring funds and equally finance have no access to placing orders.
To mitigate the risk of Vendor Collusion, all vendors register and have their hourly, overtime and weekend rates approved before they are accepted into the system. For fixed rate jobs min/max ranges are approved. Prior to any job precise fixed quotes and spare part costs are approved. When a work order is booked, Staff are only shown the 3 cheapest suppliers. The calculation takes into account labour rates, call-out charges, billing increments and all spare parts costs. This prevents Vendors from colluding with internal staff to push up pricing.
Staff with system know-how could place fake orders to hide a drop in inventory, while stealing goods in stock. Payments would never arrive. Our integrated system would flag the mismatch. Naturally during production there is always some slippage/wastage - for example a part breaks/human error. A "likelihood" indicator is applied and only events passing a threshold are flagged, to reduce false positives.
Permissions and Controls
Only those with permission may authorise and make payments to mitigate wire fraud risks.
Finance validate commissions independently to ensure no duplicates or over-billing.