Build Your Business: Don't Fall Victim To Fraud
Business fraud is costing companies millions of dollars in lost time and money. We'll show you how to spot fraud before it damages your business.
Hi – I’m Jeff Kenny – I’m the Chief Operating Officer here at General Data.
Business fraud is costing companies millions of dollars in lost time and money. A study done in 2016 found that businesses lost an average of 5 percent of their gross revenues to fraud, identity theft and cybercrime, with 22 percent of cases reporting losses of at least one million dollars.
General Data has been targeted many times with different types of fraud. And make no mistake, these criminals want to target you and your business. We’ve learned a few preventative actions along the way, and I would like to share these with you, along with some strategies to recognize and stop fraud before it damages your business.
First, let’s talk about some common ways that fraudsters try to attack and get into businesses – what I call points of entry. I’m going to briefly overview them first, then show you examples and how to spot them.
To begin, there’s the all-too-common sales inquiry from a new customer – someone you have never done business with before. These range from the blatantly obvious – think Nigerian Princes here – to the very subtle and tricky. These are usually received via email or phone by your sales or marketing departments.
You can also receive fraudulent sales inquiries from your existing customers. A criminal will spoof the identity of someone who works for one of your customers – usually someone in purchasing, procurement or c-level – and send you an inquiry using that person’s name on the customer’s letterhead. Again, these are usually received via email or phone by your sales or marketing departments.
You can also receive fraudulent purchase orders, and these work much the same way. You can get them from companies that you have never done business with before, and also from existing customers, where the identity of the person has been spoofed and the purchase order template looks just like the ones you receive from your customer. Sales, marketing and accounting can receive these.
Another point of entry is when you receive new customer applications and requests for credit that are actually from scammers. These can be received by salespeople, your marketing department, or sent directly to your accounting and credit department.
Finally, criminals will spoof the identity of your company’s owner, CEO, or other c-level executive in your company. They will then send an email from that spoofed identity to someone in your accounting or finance department, with instructions to send payments or transfer funds to an account or entity. These are especially dangerous, and can be very costly.
Now, why do all of this? What are the fraudsters trying to get you to do?
Their goal can be to get you to ship product to them and never pay for it. In this scenario, they plan on taking the products they scammed from you and reselling them on ebay, the dark web, or shipping it overseas and selling it there.
Or they may be just trying to take your money. Getting you to send money to one of their accounts, then closing the account and disappearing, never to be found again.
Finally, they may be just trying to get a bogus customer account established. They can use this to bleed you under the radar, placing small orders initially which they pay for - usually with a fake credit card - in order to establish an order history. Then they send you a large order, which you process as they are viewed as an established customer. They receive the products and disappear, leaving you holding the bag.
Let’s now take a look at a few examples, and discuss different ways to spot the fraud.
To begin, here’s a simple fraudulent inquiry from a “new customer”
Notice the following:
Bogus email address. This scammer is trying to look like they are from MuviTech by including the company name in a gmail address. You will see this a lot with hospitals and educational institutions, where the crook will try to mask a bogus email address with a company name. The domains for educational institutions always end in dot E D U, never dot com. If you look closely at the email address, it’s apparent that it is fraud.
Bogus email addresses are a great starting point for spotting fraud, but you can’t rely on that entirely. People falling for phishing scams can allow scammers to take control of their email account and send and receive email from that account – using that email address – without the owner ever knowing about it.
Grammar, punctuation and capitalization errors. Though not always present, this is common in many fraud attempts. A lot of fraud originates from countries or individuals where English is not their primary language. If you see something like this, it should raise a red flag.
Inquiries for large quantities of products. In this example, the criminal wants to order 100 OEM color toner cartridges. No legitimate business would order this quantity of color toner cartridges at once. If the order or inquiry seems too good to be true, then it usually is.
Urgency. Fraudsters are always in a hurry – they need it ASAP and want to place the order today. This is to try to get you to fast-track the order so it does not get flagged by your normal order-checking processes.
Let’s take a look at a fraudulent purchase order from an existing customer. On the left is a legitimate purchase order from this customer, on the right is a fraudulent one that we received.
Notice the similarities in layout, style and information. They even have the correct customer number on the fraudulent PO. But if you look closer, you’ll see:
The email address is a personal one. It is not from the customer’s email domain.
The ship-to address is not the customer’s usual one. This shipping address happens to be to a residence.
The products ordered on the PO are not what the customer usually orders. In this case, the fraudulent PO contains orders for card printers. Card printers are very popular targets for fraud as they are quickly shipped overseas and sold to make fake ID cards.
Finally, let’s take a look at my personal favorite – payment instruction fraud.
In this example, you see that the scammer used my name, along with a bogus email address, to contact the head of our accounting division and attempt to initiate a payment.
Along with the email address that is NOT mine, notice the urgency. Also, that is not my normal email signature.
Now, let’s talk about what your organization can and should be doing to protect yourselves from becoming a victim of fraud.
Plan and document company-wide fraud prevention processes and procedures. This is very important. You must have documented procedures on how sales inquiries, applications for credit, purchase orders, and new customer account requests are handled and vetted for potential fraud. Your employees should not be left to guess what may be fraud and how to handle it - you run the risk of them guessing wrong.
If you suspect fraud, do not rely on phone calls or emails for verification. Fraudsters will use bogus email addresses and phone numbers that go directly to them. So if you just call or send an email attempting to verify something, you’ll just be talking to the person trying to scam you. You need to dig deeper:
- look up the address in Google and see if it jibes with the company’s address on their website
- contact the company through the main number published on their website, ask if that person is employed there, and then ask to be directly connected to them.
- request a personal visit to the company’s facility.
Education. Make sure all of your sales, sales support, customer service, marketing, accounting, finance and management personnel are fully educated on the different types of fraud that can happen to your company, and what they are supposed to do if they encounter it.
Stay abreast of the latest scams and fraud techniques. These scam artists are always coming up with new and better techniques and approaches. As you learn about new ones, make sure you let the people in your organization know about it, and update your fraud prevention policies accordingly. A great resource is the Association of Certified Fraud Examiners, at www.acfe.com. In addition to what I’ve talked about here, they have extensive materials on other types of fraud, including employee-initiated fraud like embezzlement and theft.
I hope you’ve found this discussion helpful for spotting and preventing fraud in your organization. When it comes to combatting fraud, we’re all in this together. If you have any further questions or would like to learn more about what General Data has done to fight fraud, feel free to contact us.
I’m Jeff Kenny, and thanks for watching!