Verify Before You Trust: Implementing A Validation Policy For Your Company
It’s that time of year again; fraudsters are out in droves looking for ways to obtain data about you and your employees in order to cash in on filing fraudulent tax returns! So what are a few steps you can take as an employer to reduce the risk of unknowingly providing fraudsters with the very information they desperately want (e.g., W-2 forms)?
For starters, implement a policy to require a validation step for any request for employee data or completed W-2 forms. The formal control term is ‘out of bound’ verification and refers to validating a request’s authenticity using a different communication channel than how the request was received. A work flow could look something like the following:
The same method can serve as a control to protect against fraudsters targeting companies with the goal of tricking them into transferring funds via ACH or wire using a request that appears to have come from an owner or high-ranking executive. In this scenario, many companies perform a risk assessment and set a dollar threshold that, if a request is received that exceeds it, must require an out-of-band, additional level of authorization from the requestor and the CFO.
As an example, let’s say that the CFO of Acme LLC receives an email that appears to be from the CEO, and the CEO is requesting that $25,000 be transferred to from one account to another. Now, the CFO doesn’t recognize the account number or name of the company where the funds are to be transferred, but the email is urgent, and it isn’t abnormal for the CEO to submit such requests. This provides the perfect opportunity for fraudsters if Acme didn’t require additional verification. Luckily, the CFO knew that all transfers over $10,000 required additional verification and called the CEO on her cell phone to confirm the request. The request was indeed fraudulent, and the CFO reported the email to IT.
That example could have gone far differently, and Acme could easily be out the $25,000.
Here are a few things that any business can do to manage risk associated with fraudulent filings and transfers:
1. Provide security awareness training to personnel (especially those with responsibility for personnel information, accounts payable, and financial account management).
2. Implement two-factor authentication for accessing your bank accounts (this requires your standard username+password, as well as a second factor such as a one-time-password or security token).
3. Update your ACH and wire transfer procedures to include steps requiring additional, out-of-band validation of requests exceeding an established threshold. Consider requiring an additional executive to approve high-dollar transfer requests.
4. Implement anti-spam filters and work with your IT and Security teams to tune it to your environment.
5. Have ‘phishing’ tests performed throughout the year to improve your employees’ security awareness around detecting and responding to fraudulent emails.
When it comes to securing your business and employees, the worst possible action taking no action. Start with some of the easy wins, and feel free to contact David Buchanan with any questions about how to improve your cyber security posture!
Delap LLP is one of Portland’s largest local tax, assurance, wealth advisory, and information security consulting firms and is located in Lake Oswego, Oregon.