This is urgent,” “this needs to remain confidential,” and “I’m relying on you.” These were the phrases that the man on the other end of the phone repeated to Catherine Martin, an accounts payable clerk in the Belgian branch of Evergreen Inc., a Toronto-based company. Once she hung up, she corresponded with the man via their personal email accounts, per his instructions.
Martin believed she was speaking with Fraser Durand, the chief financial officer (CFO) of their medium-sized manufacturing company, and that she was helping to resolve payment to a subcontractor because Evergreen’s usual account was in overdraft. In truth, Durand had no knowledge of this transaction and had not spoken to anyone in the Belgium division in more than a week. “Durand” was actually the perpetrator of an increasingly common deception known as the “fake president” fraud.
The perpetrator emailed Martin an invoice for €612,000 (US$694,000) from a Moldovan company with details of a bank account in Moldova. Martin had not heard of Evergreen doing any business in Moldova, but as the orders came directly from “Durand,” she was not as suspicious as she might have ordinarily been. The email was flagged as important, and, while the message had grammatical and spelling mistakes, it clearly explained that the money was to be transferred immediately and payment was to be divided into increments of approximately €15,000 (US$17,000).
For the next few hours, Martin received several other calls from “Durand” inquiring about the transfer. Payment was delayed because Martin needed the approval of Michel Lemaire, her supervisor in Brussels. Lemaire was out of the office, so Martin contacted him on his mobile phone, indicating the amount and purpose of the transfers, and urged him to act quickly. Lemaire accessed the company’s banking website from home and approved the transfers without asking for supporting documentation.
The following morning in Toronto, Liz Bertrand, Evergreen’s controller, logged onto the company’s banking website as she did every morning before the start of the workday. Between sips of coffee, she noticed a series of transfers to an account in Moldova. As these transfers had been initiated and approved in Brussels, she called Martin. Martin told Bertrand that the transfers had been done at the request of Durand and provided the invoice. Bertrand then spoke to Durand, and they quickly realized the company had been the victim of a fraud.
Bertrand and Martin scrambled to call their bank and halt or recall the transfers, but it was too late: Transfers totaling €186,000 (US$211,000) had been successfully sent to Moldova. The Belgium office filed a police report and began to prepare an insurance claim. Ultimately, the perpetrator was able to successfully withdraw the proceeds of the fraud and escape justice.
This fraud was successful for a variety of reasons. First, the perpetrator had done his homework by researching Evergreen thoroughly. Information about Evergreen executives was publicly displayed on the organization’s website, and company promotional videos may have helped the perpetrator to perfect Durand’s accent and mannerisms. Knowing details such as reporting lines, names, and titles of employees helps perpetrators avoid arousing suspicion. This practice is known as social engineering, and it is an increasingly powerful tool available to perpetrators in the digital era.
The second factor behind the perpetrator’s success was his knowledge of corporate policy. He had an invoice on hand to justify the payment to a “subcontractor,” adding legitimacy to the transaction, and asked for the payment to be split into increments — a practice known as structuring. By splitting the amounts into smaller increments, the perpetrator was able to avoid the usual authorization limits and approval process around cash disbursement. A perpetrator may not know the exact authorization limits, but may specifically ask the target or simply guess at common limits for an employee based on his or her title. Perpetrators also have been known to assume the identity of a genuine supplier or vendor, while providing the targeted employee with new, fraudulent banking details and asking him or her to pay all unpaid invoices. Additionally, some perpetrators will add legitimacy to their email communication by copying an unwitting external professional in email communications — perhaps a partner in a law or accounting firm.
The biggest advantage that perpetrators of this fraud have is that it is easily repeatable with other companies. If discovered, a perpetrator will likely just hang up and move on to the next target. Perpetrators typically use a prepaid, disposable mobile phone and operate out of jurisdictions with lax enforcement, minimizing the chance of being caught. As the dollar values involved in these schemes are high, perpetrators only need to be successful once to make it worth their while.
In this situation, the targeted employee did not notice, or failed to act upon, several red flags. The use of bogus personal email accounts designed to spoof the details of the person the perpetrator is attempting to impersonate such as “Fraser@gmail.com” is common. Alternatively, perpetrators may use email accounts designed to approximate genuine corporate email accounts such as “CFO@compaany.com” (often with extra vowels or other small misspellings). Spelling and grammatical mistakes are another red flag. Company or banking details in countries that are known to be at risk for fraud or not known to be areas where the company does business are also indicators that the transaction may not be genuine. Finally, a sense of urgency from the caller and a desire for confidentiality and to circumvent controls are common in such schemes.
- Employees should be educated about the “fake president” fraud and similar schemes. Internal auditors can help by offering formal training that ensures employees are aware of the red flags and are encouraged to be skeptical. Upper management should visibly buy into these efforts by publicly stating their approval, and show potentially targeted employees that it is acceptable to challenge suspicious requests for payment.
- Internal auditors can perform an internal controls review of the cash disbursement function in light of the “fake president” fraud. Payments should not be made to an organization or bank account not already in the vendor master file. Changes or additions should always be approved by more than one employee and confirmed with a known contact at the payee. Controls on approval limits should be adjusted to prevent the structuring of payments or transactions to pass beneath limits.
- Every company should have a financial authority limits policy that provides employees clear direction with respect to the approval process. Internal auditors can perform a review to ensure that the policy is followed.
- Employers should be aware of the information employees make public via social networking websites — especially LinkedIn. Formal training offered by the internal audit department should cover the risks posed by social media.
- Internal auditors should consider reviewing information the firm makes public on its website, such as employee positions, email addresses, and phone numbers.