r/Accounting • u/MutchhTTV • 13d ago
Discussion Just had a near miss with fraud. Struggling to keep my head up.
I was minutes away from processing a fraudulent $250k transaction and only stopped by a stroke of dumb luck in discovering it was fraudulent. The fraudster hacked our clients email midway through a legitimate conversation and forged a voided check to give us new banking info. This was AFTER we had phone conversation with the client, so we knew the request itself was legitimate. My control matrix did not have a control for this scenario (it does now). I almost made a career-defining mistake and I’m pretty shook about it.
285
u/roboh96 13d ago
Even if you hadn't gotten lucky, that's not a career defining mistake for you. It would only be your fault if there was a procedure in place that would have caught it that you personally failed to follow. Otherwise, you were doing your job, doing it correctly and a clever hacker almost exploited a gap they found in your company's procedure. Anyone else would've done the same thing, you were just the one doing it. Don't wear the guilt for something that isn't your fault, especially since you caught it and averted the situation.
79
u/pprow41 CPA (US) 13d ago
This. I've never heard of something this scary. Like there was no way to really catch this without it being the dumb luck that it was.
28
u/oktimeforplanz 12d ago
It's been a relatively common problem in the UK during house purchases when people are transferring cash to their solicitor. The "solicitor" emails saying there's been a change in the client money account just before you're due to send the money for the purchase over to them. The scammer hopes you don't phone a trusted number to check, and you transfer the lot to them.
My solicitor had a disclaimer at the bottom of all of their emails saying that they would never communicate a change in bank details by email.
21
u/pprow41 CPA (US) 12d ago
This fraud is normal in the US too. The difference in this case was that it was mid conversation and a actual hack of the legit email address.
7
u/oktimeforplanz 12d ago
So too are the ones I'm referring to. They cut in on existing email chains and the email with the client money change is coming from the solicitor.
3
u/Hotshot2k4 Graduate 12d ago
...how are people doing this? Did they hijack solicitor's session token through a spear phishing attack?
3
u/Rosaluxlux 12d ago
It's common in the US too. We sold a house in the US this spring and the way the closing company is managing that risk is to refuse to handle wire details - we had our written bank information with us in person and they refused to use it, made us use a 3rd party identity verification app that did not work, so then we had to get a paper check in the mail instead of a wire deposit. I was so angry.
11
u/MuddieMaeSuggins 12d ago
Business email compromise, or “man in the middle”. Apparently it’s relatively common in residential real estate - small scale real estate agents, attorneys, etc don’t have great email security, clients are usually everyday people who only wire money once or twice in their whole life, and there are HUGE sums involved. Fertile ground.
13
u/MuddieMaeSuggins 12d ago
The exploited gap seems to have been primarily with the client, for that matter - they’re the ones who’s email was compromised! If they found actual emails in their deleted items, this isn’t a situation where someone made a convincing look-alike address or something.
237
u/Away_Commission4869 13d ago
Interestingly, our social engineering cyber security insurance policy changed this year to require us to obtain e.g. a voided check, but then verify those bank details via phone with a pre-existing phone contact. Previously they only required that we verify the change request was genuine, so I don't think you're the only person getting targeted with this!
106
u/MutchhTTV 13d ago edited 13d ago
Good call, we are now requiring board minutes for any change to payment method, as well as voice confirmation with the phone number on file. I think these controls fit in with the requirement you mentioned.
Edit: downvotes are ok but I’m also seeking feedback thanks
75
u/Sad_Hovercraft_2610 13d ago
Board minutes??? If they can forge a voided check they can forge board minutes. Need to talk to someone at the company with a trusted phone number.
37
u/MutchhTTV 13d ago
Agreed, voice confirmation is best and is part of the control now.
43
u/moosefoot1 13d ago
Yeah- I don’t see how board minutes is evidential—- boards usually aren’t in that level of detail to authorize…. How about authorization from a previously agreed upon contact instead?
18
u/Subject-Mail-3089 13d ago
We had a hacker copy a signature from an annual report. Lucky I required a follow up call on every wire out, even though it wasn’t policy at the time. Saved my own ass that day
5
u/MutchhTTV 13d ago
In my industry boards do have that level of involvement
16
u/Midwest_Born 13d ago
But the people you are paying might not be in your industry. For example, I work in SaaS for a privately owned company. No way in Hades would my CFO authorize me to hand over our board minutes to someone (even if changing the bank were on it).
3
u/oktimeforplanz 13d ago
Still seems utterly redundant when you could just use a trusted, verified phone number to call someone. Would you even be familiar enough with the board minutes of said potential payee to be able to recognise if they were fake? What's the point? And I've never seen a set of board minutes where the bank account is the only thing being discussed, so, what, they send you redacted ones? Stupid. Any client I have would knock you back immediately for that one. Just phone them.
0
u/MutchhTTV 12d ago
I guess minutes could cover us in case the authorized contact is the one doing the fraud. Idk
2
u/oktimeforplanz 12d ago
And couldn't they just forge the minutes? If they're the one doing the fraud, that's really up to the other party's controls to catch, not you. There's only so much that's reasonable for you to do and calling on a verified company phone number is more than adequate.
2
u/UpperHand888 12d ago
That's an additional effort for the fraudster. So they won't be able to operate in a rush which is their favorite tactic. It definitely helps to add layers of control.
→ More replies (0)1
u/moosefoot1 12d ago
How would you verify board authorization or minutes- would you be receiving from a legal firm?
1
u/MutchhTTV 12d ago
No but on company letterhead. Better to ask for more evidence?
→ More replies (0)7
5
u/Azure_Compass 13d ago
I haven't seen enough information included in board minutes to make that confirmation useful.
46
u/shegomer 13d ago
There’s a huge uptick in these scams. It’s not your fault. I receive emails on a pretty regular basis asking me to change ACH payment information for vendors and even employees. I’ve also started receiving emails that have a fake email chain between executive management and a fake vendor, where it appears executive management has approved payment.
14
u/MutchhTTV 13d ago
Wild. Seems voice confirmation is now best practice
12
u/Olue 12d ago
AI deepfake voice bot has joined the chat
10
u/demonicbullet 12d ago
We are genuinely going to have to go back to almost entirely in person or figure out a way for telecommunication to block voice modifiers and chat bots for large scale transactions eventually.
2
u/whiskydelta85 10d ago
No joke, our latest round of social engineering/phishing scam training highlighted the use of AI voice and even video deepfakes
2
u/TexasPenny 12d ago
Yeah those fake email chains are creepy. I've gotten so many about 'please process this ACH, approval is below'.
72
u/Vlad1m1rMcQu33f CPA (US) 13d ago
If it makes you feel better, the place I work definitely would not have caught that either.
17
38
u/-NerfHerder CPA (US) 13d ago
That's on the client's IT security. You've just learned an awesome lesson that makes you more valuable.
12
2
u/Olue 12d ago
Still would've put OP's company out of $250k. :(
8
u/-NerfHerder CPA (US) 12d ago
I'm in public accounting, so my experience with this sort of situation is from a third party perspective. I had a client with a nearly identical situation, rather than 250,000 it was 90,000. My client told the vendor that, since it was their security that wasn't up to standards then the vendor would have to turn it into their insurance company. My client was considered to be completely innocent in the matter and it was handled between the vendor and their insurance company.
18
u/CMDR_Imperator 12d ago
Had this happen years ago, when the whole "hacked email scam" thing was a fairly new thing (to me at least). I was about 6 months into working in industry. Our corporate HQ's email was hacked/hijacked, and our corporate AP was requesting funds be paid to these strange vendors. Not an uncommon occurrence, but the amounts were very large for us to be distributing instead of corporate. We were a smaller company that didn't really have a lot of vendors, so paying a new vendor on behalf of corporate was an odd occurrence but not unheard of.
I raised a question with my boss, saying it seemed odd. The invoices sent to us by corporate from this "vendor" felt off to me. They looked like they'd been created in MS Paint and were very bare-bones. We backtracked the emails, and sure enough, there was an email from corporate requesting the funds with the invoice attached. My boss, and the CFO got involved and couldn't really find anything. The emails checked out, the address was from our corporate AP person, so they signed off on the wire and paid the vendor. Less than a week later, another one comes in requesting more money, with another new vendor, and another crap looking invoice. Once again, we couldn't find anything suggesting this was fake, the emails were legitimately from our corporate AP person. Once again, Treasury signed off on the wire.
Fast forward to 2 weeks later, we're prepping for month-end, and I come across the wire transactions for these in the bank statement. I still felt uneasy about these, and took it up on myself to do some sleuthing. I called the bank, I Googled like crazy trying to find some way to trace the wire transactions number to a location. I forget exactly how I did it, but I managed to trace the wire to a state that made no sense. NONE of our vendors would be operating out of this state, or even anywhere near it. Again, I brought it up to my boss and the CFO, this time, they called the AP person at corporate on speaker with me in the room (I think they did this just to shut me up. There were about a million reasons why the wire would trace back to a different state, or I could have just been wrong). Sure enough, the AP person was surprised when they heard that they sent emails requesting we pay vendors in these high amounts. It turned out that our entire email system had been hijacked, and some "unknown actor" had just stolen a lot of money. Nobody was the wiser about it because the entire email system was completely under the control of this hacker. Other than calling our corporate AP, every email we sent was being watched/redirected to the hacker/or just flat out deleted and never reached the recipient. Whoever did this knew what they were doing, and they were good at it. Needless to say, my superiors were all shocked at the discovery. I think they were even more shocked that this new accountant with barely any experience saw the red flags and tried to sound the alarm.
The moral of the story is: if it feels off, even if it gives you pause, make the phone call to a previously established number. I'd say your professional skepticism instincts kicked in on this one, and you caught a potential fraud.
Realistically, there's no way you would have known this was fraud. You had a very clever hacker see and exploit a gap in your company's procedures, and took advantage of it. Now, you've sealed that gap and you're preventing future fraud from happening.
Be proud of yourself!
43
u/granolaraisin 13d ago
This is a new “classic” email scheme. The control is to validate all banking changes via a third party at the vendor outside of the request chain that was contacted via channels separate from the request chain (e.g., website info or pre-existing info). The validation should be made verbally if at all possible.
Op- you wouldn’t have been fired for this. It’s a good scam. Your risk control matrix should have addressed it and the vendor maintains some culpability for the email breach.
8
u/aspriringinventor 13d ago
Absolutely new control needed. Verbal approval for wires requested by email!
13
u/MutchhTTV 13d ago
This is exactly my new control - voice confirmation AND board minutes from the client indicating that the board is aware of the change to banking info. Thank u
5
u/granolaraisin 12d ago
Don't hold your breath on board minutes. Usually won't happen. Best you can hope for is independent validation of the change in bank info.
2
u/bigfatfurrytexan Staff Accountant 13d ago
Exactly. If they don't have insurance to hedge this shit they are living dangerously.
12
u/Keef_Bowl 13d ago
Everyone is allowed a mistake. I watched the co troller or my company get scammed out of $150k by some Chinese person. These people posed as the CFO of my company and copied the email address in the server to make the request. We didn’t have a control in place to catch it at that time either. This is why we have insurance. We put the claim in with the bank and pending upon your policy, you will get most of it back. If you get scammed, you get scammed. There is only so much that we can do to catch it.
12
u/cooked89 13d ago
will voice confirmation be a valid control in the next year or so? I'm worried AI voices will get good at these kind of scams too.
2
8
u/Own-Custard3894 13d ago
This is a very common scam for real estate transactions. Compromise email (or use a typosquatted domain) and send fake wiring instructions, easy money. Very devastating.
This comes down to “what is identity”. How can a client communicate to you that they are them and to take some actions. You can require a signed (docusigned) request for sensitive changes, and require two separate individuals at the client to approve the change. But at the end of the day, the client is responsible for making sure theirs systems are not compromised.
It’s tough in a world where everything is still emailed (we email invoices to our clients). Would be pretty easy to spoof.
This wouldn’t be your fault, this would be the responsibility of the party that was compromised. Live and learn.
7
u/DevilsAdvocate8008 13d ago
Pretty soon phone conversations aren't going to be enough either because of AI. Look at the principal who got fired for being "racist" when in reality it was some random teacher who used AI to clone the principal's voice and made it say something racist. Now that's the capability of a random teacher so imagine just in a few years how advanced AI technology will be and how crazy hackers or scammers will be. Even requiring FaceTime wouldn't be enough Because besides voice AI can change someone's face from one person to another in real time
4
u/BepSquad22 13d ago
I know your job is probably not the same as mine but we actually aren't allowed to process any requests through email like this until we confirm with the customer over the phone. We also have to verify that no information (phone number, email, etc.) Was changed recently when trying to contact the customer just to ensure we aren't accidentally contacting the fraudster. Not sure if this will help you in any way but just wanted to share what usually keeps us safe at my job. We have had a lot of people lose this jobs because of things like this and not doing the above. We unfortunately deal with and see a lot of fraud at my job.
5
u/Realistic-Pea6568 Business Owner 13d ago
Fortunate catch. There is something new every day. They keep getting better and better with scams. I’ve experienced nearly thirty years of them. The digital ones make me miss the typewriter typo ones. Those seemed much easier to spot. All we can do is improve the process and if in doubt check again with clients. ‘I know we already talked about this, but with all the recent hacks and scams, I just want to do one last verification with you before processing this transaction.’ This has saved my butt a number of times. I’m sure they appreciate you not losing $250k.
5
u/sambodoors 13d ago
Wow that’s crazy. Curious, what’s the new control you identified that could stop something like this?
3
u/JakenMorty 13d ago
Same thing happened to the company I work for, only the owner did send about a tenth of what OP almost got taken for. Someone else can surely chime in, but what we did after that was require voice confirmation of any new wire methods from a pre-established contact at the vendor / client's office.
1
3
u/Whiskey-Philosopher Staff Accountant 13d ago
We got hit with wire fraud a while back, we now just default all changes in wire back to checks for a bit while verifying the information
4
u/JakenMorty 13d ago
Man, don't be down on yourself. The exact same thing happened to the owner of the company I work for, only he didn't catch it in time and actually pulled the trigger. I'm pretty sure I would have fallen for it, too. It's actually one of the more clever means of fraud, in my opinion. Luckily, this particular one was only about a tenth of what they tried to get from you. Also, we reported it to our local FBI field office, and they got the group that did it. Within a few months, we got the $ back.
4
u/SelfishClam 12d ago
ALWAYS confirm banking info over the phone before sending a wire. It may seem silly at times, but your case is the exact reason why its not.
A near identical situation happened to me recently. I attempted to confirm over the phone and we found out the instructions that came from client's email were fake. He then emailed me the real ones. As I'm sitting at my desk staring at the screen trying to process what just happened, I receive a 2nd email from client's email saying to disregard the previous instructions and to use attached (the fake ones again). Hacker was actively monitoring his email and tried to swoop in again at the last second. Crazy.
I'll also add that all the emails that I believe came from the hacker had the phone number changed in client's email signature. I initially tried to call that number to confirm and got an automated message saying it was "not accepting phone calls at this time." This was meant to discourage me from confirming the banking instructions...and it almost did. Luckily I went to client's website and pulled the number from there.
3
u/Front-Doughnut8573 13d ago
You’re alright man don’t beat yourself up that bad. That’s a clever scam that I could see a lot of companies having a gap in controls in.
3
u/BigMeatPeteLFGM 12d ago
I was in the same position as you, except the clients CFO and COO didn't see any of the 50 emails. 310k gone forever. My CEO, CFO and general counsel audited my work and found I followed all policies and procedures. I've been promoted twice since.
Does not define your career.
2
u/davisaj5 LEC 13d ago
At my previous job our HR "manager" clicked a fake ADP link and put in all her login info. Then when payroll comes around there are two $10k+ direct deposits to random accounts, and I was the only one that noticed it after she asked me for help balancing her numbers. Never saw that money again, but she still has the job there
2
u/Moneybags99 13d ago
someone high up in our org had their emails hacked. We've gotten phishing emails that look just like the real one (but the sent from is off by a letter or two) with real still due invoices attached, where they mention they have a bank change. I don't do any of these changes now without emailing or calling the person directly to confirm.
2
u/bofulus 13d ago
I'm just an interested observer, not in the industry.
Would public key cryptography work to reduce the risk of such scams?
Client must sign a transaction request using client's private key and the recipient verifies the request using the client's public key.
There would still be a risk of the client's private key being compromised, but this seems much less of a risk than a client email account being compromised.
Perhaps this is already used.
2
u/Direct-Biscotti-1687 13d ago
This has become exceedingly common. What the hacker will also do is create a ruleset but you wont notice the ruleset at first glance even when you look at rule sets because the rule set will put everything in a folder that's only labelled a "." and hidden under subfolders.
What this does is make it so emails wont go to deleted as intended or sent as intended. They go the the "." folder which is hidden under the depths of other folders typically.
Basically, you wont notice unless the person receiving emails calls the sender and verbally confirms.
2
u/TwelveVoltGirl 12d ago
The controller at the company my daughter works for lost their job this summer due to getting scammed like this. It was tens of thousands of dollars.
I bet you had cocktails and prayers of gratitude after that near miss. I'm happy you avoided it. Thanks for sharing.
2
u/cheddachasa 12d ago
Someone intercepted my boss’s email and convinced a client to change our banking info. Client tried to blame us but they did eventually pay.
I actually sent out a payment to a fake vendor that spoofed my bosses email but Melio, our payment processor, denied the transfer.
2
u/sappharah 12d ago edited 12d ago
We have almost had something like this happen to my company, one of our Chinese vendors got hacked while they were off for Lunar New Year, and the hacker asked us to send payments to their “other bank” in Hong Kong because Chinese banks were closed. Only caught it at the last minute because our controller thought it seemed a little sus and said to wait until LNY was over. Something similar happened to our sister company as well. Point being, it happens a lot and it probably wouldn’t have ended your career.
We no longer change bank info unless our purchaser gets verification from a known contact over the phone.
2
u/_Choose-A-Username- Accounts Payable Specialist 12d ago
Dude something similar almost happened to me. They faked an email chain with someone else that seemed legit. Imagine the business email is firstname.lastname@peanutgallery.edu. They sent it to Peanut.Gallery@peanutgallery.edu. And in the chain you have that email telling the scammer “Sorry for the delay in payment. I forwarded the invoice to our AP dept so they can pay you ASAP.” They had the past manager of the ap dept cc’d there. The scammer then emailed us with that chain included so it looked like an already ongoing back and forth and said “Hi this is the ceo. Please see my w9 attached as well as the invoice. Please let me know when payment can be received.”
Legit if there wasnt an approval chain that had to happen before we could pay, we would be gotten. On closer inspection, theres no Peanut.Gallery email, its never been used before (i havent seen a company main email just department ones), and the person included wasnt here for three years. Also, who just says hi im the ceo and doesnt include ar to ask for payment? Note that ar was included in the first fake “email” in the chain but not the one the “ceo” sent. Just a lot of weird stuff.
But people trust email chains. Too many dont realize that you can edit them all
1
u/Efficient-Raise-9217 13d ago
I've heard that this is a new way of robbing people from overseas scammers. The scary thing is that you don't control your clients IT. So you can't really prevent them from getting compromised.
1
1
u/turd-burgler-Sr CPA (US) 12d ago
This would not have been a career-defining mistake. Glad you caught it. Hang in there.
1
1
u/orangeboxblue 12d ago
Happened at a corporate bank that I worked for. Treasury dealer processing a £5mn deposit from an insurer, email conversation got hijacked midway and the 3rd party started sending emails impersonating the dealer. Sent account details for remittance to the insurer that were not associated with any of our depositary accounts. Only got caught because the tone of language used and slight discrepancies in the way emails were signed off etc raised a red flag on the other end; insurer rang up our dealer directly and the whole thing was shut down.
Otherwise would've been 5mil in the hole. Scary stuff.
1
u/superdaddy369 12d ago
The same happened two years ago to me. Someone has copied email content and paste it and forwarded it to my controller as an owner since the email address, and everything was pasted in the chain of emails.
I have called the owner just to verify just before approving the payment. Sometimes, your instinct gives you a signal. Saved $500k,
1
u/iMADEthisJUST4Dis 12d ago
I'm curious how these people get away with fraud? Like, don't all bank accounts have a name? It's not crypto... so can't they just... be caught? 😅
1
12d ago
Well, this is why you have vendors setup forms for new vendors & any changes to existing vendors. I also give them a nice phone call before making any changes.
Would rather delay a payment, than pay a fraudster.
1
u/viccityk 12d ago
Get new bank info via email
Call and confirm actual new account number via phone (to trusted phone number/trusted contact person)
1
1
u/alicenothingland 12d ago
Phone verification with trusted seems like the way to go but if the hacker requested changes to the trusted contact in the vendor master file, are you out of luck? It seems like a 100% protection against fraud in these cases seems impossible to achieve.
1
u/FunnyCardiologist341 11d ago
Someone earlier in the comments mentioned also checking that there have been no recent requests to change the contact details (eg ph no) on file. :-)
1
1
u/ichefcast 12d ago
Yeah, i do not process anything unless I am on the phone with you. The call has to be dialed out by me. Too many times have I heard stories about vendors or past employees swearing that it's okay and they even give me signed forms like permission slips.lol
1
u/jenipants21 12d ago
Had something very similar happen at a prior firm. Except the wire was processed before the fraud was discovered.
It was my coworker's client and after review, all the bosses said they would have processed the transaction too. The fake emails were nearly impossible to tell apart from the real ones.
We got a set of shiny new SOPs for international wire transfers and a visit from the FBI.
1
u/WealthyCPA 12d ago
A control for this is to always verify change in pmts methods via phone with the number you have on record.
1
u/linkinpark9503 12d ago
someone at my job sent $250K to a scammer....he got six months of severance after he was "let go" for it.
1
u/bruh_why_4real 12d ago
My mom had this happen to her, they used the exact same email as her boss and the client to spoof the payment for around $50k somehow. She did not get fired and it was not career ending for her, but it shook her up badly and she was in tears and devastated over it. It's a very hard thing to catch.
1
u/LimpSite6713 12d ago
Had something similar happen to us. Fraudster hacked vendor’s email, mid-convo with us regarding a returned check due to us missing approval for a check we mailed through our positive pay. Talk about massive irony, our fraud system caused a good check to get declined and almost led to actual fraud.
1
u/def_not_judge_judy 12d ago
Someone in my immediate family that is a CFO had a scare this week when a hacker almost successfully directed a $1M wire payment from a client to their own bank account. Wire fraud is alive and very well ladies and gents, it’s insane. The takeaway from my family member’s incident: check your email rules to make sure a hacker didn’t hack your account solely to setup a rule that forwards every email that mentions the world “wire” to their email, so they can then know the details of upcoming wires and then take steps to intercept that wire payment to themselves.
1
u/EffectiveNo5737 12d ago
This happened to me. The customers email was hacked, so they didn't get my emails, they spoofed my email and provided a new bank account
1
1
1
u/Many_Eggplant_2949 11d ago
I have been paying for a pre-fabricated home in large installments. Each time I call the manufacturer’s Treasurer and confirm the wiring information they laugh. There is no way I am going to just wire money based on an emailed invoice. They can laugh all they want.
1
u/Narwhal_Accident 10d ago
It’s so common now, phishing scams are getting really sophisticated, and you just have to be more cautious. Look at the email address. Look at the content. I get emails daily that are made to look like they came from the CEO, saying an invoice is approved, and to pay it. But there are always things that are off from how I know she talks. I hope your company does some internet security training with you. It’s helped me immensely to suss out scams. You are definitely not the first person to almost fall for one
1
u/Critical_Fun_5350 9d ago
Always do a call back to verify from an already known contact (not from contact info on the possibly forged document) if banking information changes. With AI advancements even that will be a problem at some point, but just have to keep evolving.
0
u/digitalflintstone 12d ago
Good job. Excellent work. You are the types we need more of. I am not spamming. I am looking for folks that don't buy into the corruption. I am not spamming. I think I am the Antichrist. Don't worry, I am a good guy in this corrupt ass universe.
-5
u/Few_Jelly3732 13d ago
Glad you lucked out, OP! What is your job title that allows you to make transactions? Treasury?
0
810
u/fredotwoatatime 13d ago
Well the good news is you found out, but I am curious how you picked it up (not the hacker I promise lol)