CSO, an online service that provides a broad range of content on security and risk management topics, published an excellent piece last week on the Mattel phishing attack last year that nearly cost the company $3 million. In reading this all-too-familiar tale of fraud, we were reminded of how an automated accounts payable (AP) solution can prevent companies from falling prey to this type of scam.
The backstory of the incident involving Mattel, one of the top toy manufacturers in the world, as told by CSO, is as follows:
On April 30, 2015, a [Mattel] finance executive got a note from the newly installed [Mattel] CEO, Christopher Sinclair, requesting a new vendor payment to China. The finance executive didn’t see anything wrong with the request, but checked protocol anyway.
Transfers required approval from two high-ranking managers; [the finance executive] qualified and so did the CEO. The transfer was made. In total, $3 million was wired to the Bank of Wenzhou in China. [The finance executive] mentioned the payment later to Sinclair, who denied making the request.
Mattel contacted law enforcement and their U.S. bank, but were told that it was too late – the money was gone. The thieves had hit Mattel at just the right time. A new CEO had just started and the company was getting ready for massive growth in China, so payments to the nation wouldn’t be out of order.
But Mattel got lucky. May 1 was a banking holiday in China. The following Monday [May 4] they were able to get assistance from local law enforcement and banking officials to freeze the account that held the stolen funds. Two days later, the money was recovered.
The banking holiday (May 1 was Labor Day in China) falling the day after the fraudulent request was made was Mattel’s saving grace, but most companies don’t get lucky breaks like that and the money they wire to overseas thieves cannot be recovered. In fact, the FBI reports that this type of scam has cost companies, many of them American, more than $1.8 billion.
How can AP automation prevent these types of fraudulent payment requests from succeeding? For one, the visibility it provides into the payment process creates an easy-to-follow audit trail that allows you to see if an internal payment request was actually made. Secondly, automation enforces strict adherence to business rules and forces you to standardize your processes and do everything the same way, which is a huge step toward preventing fraud.
In addition, automation:
- Allows your vendors to send invoices through your company in a set way (usually by dollar amount)
- Ensures that every invoice gets proper approval before it is paid
- Processes your invoices faster, allowing you to run analytics on them
- Uses data instead of physical receipts for validation
- Guarantees that your invoices and payment information is secure in a cloud-based environment that can be accessed anytime, anywhere
- Improves controls and solves common control issues, such as:
- Authorization overrides
- Gaining payment approval
- Monitoring purchase order splits
While automating your AP workflow will decrease the risk of fraud, there are still several best practices to be mindful of once an automation system is in place. Our advice is to:
- Use the AP automation system’s efficient matching functionality to validate accurate transactions
- Create an approval matrix
- Manage vendor master records
- Use preventative controls in place of detective controls
- Automate audit controls when possible
- Always follow your procedures, such as working your duplicate checking queue
To underscore the importance of fraud prevention, the Association of Certified Fraud Examiners (ACFE) recently released its 2016 Report to the Nations on Occupational Fraud and Abuse, and it stated that the typical organization loses five percent of revenue annually due to fraud. ACFE also reports that a lack of internal controls is the main organizational weakness of occupational fraud victims.
For additional insights into how AP automation can help reduce the risk of fraud and for tips on how to identify potential fraudulent payment requests, click here to watch a video with Joe Zulich, Manager of Accounting Operations at White-Rodgers and fraud prevention and risk management expert. This video was recorded after Joe delivered an educational session on fraud at Fusion 2015 in Orlando, FL.
If you have more questions about how AP automation can prevent fraud, feel free to contact us at info@DataServ.com.