A monthly Information Security publication for the WPI community.
June's focus is on FISCAL YEAR END SECURITY. The end of the fiscal year is a busy time for an organization. Criminals exploit that by impersonating legitimate businesses and taking advantage of the likelihood that people may not have time to scrutinize requests.
In this issue:
- Invoice Fraud: Recognizing and Preventing
- WPI's Fraud Prevention Strategies
- Red Flags
- Example of a Fraudulent Invoice
- Learning with Laughter
- Featured Videos
- In the News & by the Numbers
- WPI Resources
- Diversity in Cybersecurity
- Coming Next Month...
Invoice Fraud: Recognizing and Preventing
According to CFO Share, these are the 3 most common types of accounts payable fraud:
- Fake vendors and invoices fraud - when someone either internal or external to the company creates a fake invoice. No goods or services are given to the company and the creator and/or their associates profits from it.
- Check fraud - this usually happens when there are lost checks or duplicate payments and someone pockets the money.
- Expense reimbursement fraud - this is when an employee submits a false or exaggerated expense report for personal profit.
And these methods help to prevent it:
- Segregation of duties: for example entering data, approving transactions, and paying bills are tasks that should be done by 3 different people.
- Staff education: people are more likely to detect fraud when they have been taught exactly what to look for.
- Routine audits of fraud prevention processes: a best practice is having an external organization perform this audit to ensure the processes are being followed correctly. Failure to follow established procedures is a common weak link in the accounts payable process.
WPI's Fraud Prevention Strategies
Workday's detailed audit trails, requirement of receipts, and engagement of multiple approvers helps to prevent fraud.
WPI Workday processes support fiscal security by:
- Detailed audit trail in Workday for invoices and purchase orders.
- Electronic payments with detailed audit trails in Workday to prevent check fraud.
- Requiring receipts for expenses that are $75 or more.
- Clearly defined approval procedures for how many people need to approve large transactions.
- Highly defined roles in Workday so users have access to exactly what they need to do their jobs and no more. In cybersecurity this is known as the principle of least privilege.
Vendor relationships:
- WPI's Procurement team manages supplier policies and master agreements. Their policies afford consistency and thorough oversight, making vendor fraud more difficult for scammers to accomplish.
- Individual employees can support fiscal security by developing strong relationships with vendors. An example exists between ITS and DelSignore Electric, a partner for many years. There are two specific individuals there that ITS works with for billing. If a questionable invoice or suspicious email ever arises, these direct contacts could confirm or deny the legitimacy and fraud would be stopped in its tracks!
Education:
- The SECURE IT newsletter and related materials educate the WPI community on cybersecurity.
- WPI's Finance & Operations staff regularly offer assistance and training on best practices.
Red Flags
The more familiar we are with differences between legitimate and false invoices and requests, the more confident our decisions on whether to respond or report! According to EFT Sure's blog, here are 10 red flags for fraud:
- Spoofed invoices or incorrect information about vendors
- Unknown senders or unverified vendors
- Unusual requests for sensitive information
- Suspicious links or attachments
- Unsolicited emails, phone calls or text messages
- Enticing offers that sound too good to be true
- Incorrect email addresses
- Grammar and spelling mistakes
- Blurry company or entity logos
- Urgent or threatening language
Example of a Fraudulent Invoice
This screenshot of an invoice scam looks like an official business email and entices the user to provide a phone number and email.
Notice how it does not include the sender's company, the receiver's company, or make any references to the specific goods or services provided.
Grammatical errors are common in fraudulent email messages. Of note in this email:
- "The below reject reason" is not how a fluent English speaker would word that phrase.
- "Can not be process" is an incorrect verb conjugation. It should be "cannot be processed."
- "Can not" is typically written as 1 word.
- "Finial" instead of final.
- Reading the comment section out loud sounds a bit choppy, as if a few words were omitted.
Learning with Laughter
Featured Videos
These news segments discuss how to spot and avoid scams.
Scams to Look Out for in 2024 (NBC Detroit)Scams to Look Out for in 2023 (CBS Houston)In the News
Virginia Commonwealth University was conned out of $470,000 when a British citizen impersonated an employee at a construction firm VCU uses. Then the money was laundered in Los Angeles.
LA businessman accused of laundering money stolen from VCU (ABC Richmond)Evaldas Rimasauskas was one of the orchestrators of a Lithuania-based business email compromise (BEC) scheme that started in 2013 and stole over $120 million from Facebook and Google.
Leader of Fraud Ring Sentenced (FBI)By the Numbers
- $752 million lost to business imposters in 2023.
- In 358,000 reports to the FTC, scammers contacted the victims by email.
- 2.6 million fraud reports were sent to the FTC in 2023.
Facts about fraud from the FTC – and what it means for your business (FTC)WPI Resources
If you receive a questionable email pertaining to WPI financials, take 5 minutes to think before you respond!
Take 5! (WPI Hub)WPI policies help to safeguard our financial data. If end-of-year tasks raise any questions about these, Information Security would be happy to assist.
Graham-Leach-Bliley Policy Data Classification and Usage PolicyRestricted Use Data Clean Desk and Clear Screen PolicyDiversity in Cybersecurity
Tia Hopkins, Chief Cyber Resilience Officer
Tia HopkinsComing Next Month...
Phishing!
Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.