This past August, accounts payable staff at MacEwan University in Edmonton made a simple change to vendor banking information that ended up costing the university $11.8 million. In June, an email was sent to MacEwan staff from what appeared to be a known vendor, Clark Builders, which had been working with MacEwan on various construction projects since 2003. In this correspondence, which went back and forth for several weeks, the email sender made a request that the University change Clark Builders’ banking information. The banking information was changed without further verification, and three separate payments were made to a fraudulent account. Already, $11.4 million has been traced back to accounts in Montreal and Hong Kong, but the investigation into the remaining amount continues.
While the case has been covered by dozens of news outlets as an example of massive fraud carried out through a phishing attack, much commentary has focused on the shocking lack of financial controls in place at MacEwan.
Phishing attacks are nothing new for most businesses, but the methods used have been getting more sophisticated as cybercriminals hone their skills to create increasingly convincing email campaigns and new tools become available to them. However, in many cases, phishing schemes rely on basic social engineering techniques that hope to trick the targets into revealing personal information. MacEwan was the victim of what’s known as a spear phishing attack, which targets a specific organization or individual by impersonating a known associate or client.
In a survey of more than 500 cybersecurity professionals released earlier this year, a majority of respondents (76%) stated that their organization had been the victim of a phishing attack in 2016. While this actually represents a 10% decrease over the previous year’s results, risky behaviours among employees are still rampant. Employee security awareness training is an important measure that organizations can take to reduce they’re susceptible to phishing attacks, but business protocols also need to be in place as a firm barrier against employee error.
Post-secondary institutions will soon find themselves subject to new regulations that require mandatory reporting of cybercrimes. Beyond that, institutions should audit their current accounting processes and evaluate the efficacy of their current internal controls. While security technologies like filters, threat intelligence tools, and other anti-phishing software, can reduce the risk, real protection must be built into an organization’s internal processes.
For accounts payable teams that deal with high invoice volumes or significant payment amounts, an AP automation solution can be an invaluable tool as a way to enforce internal controls. With AP automation, each invoice and payment request is instantly routed through pre-established channels for approval. Employee user access is also strictly controlled in most AP automation solutions, by allowing administrators to customize user credentials based on job role or other factors. Beanworks is a cloud-based AP automation tool that includes all these features, plus on-demand reports as well as invoice and payment audit trails that give administrators the power to know exactly which actions have been taken on any invoice at any time. Within the Beanworks payments module, BeanPay, we also have additional notification measures to enhance security. When vendor information is changed, an instant email notification is sent to the payment administrators.
With Beanworks, organizations get real-time control of their cash flow and complete visibility into the entire AP process. Learn more about how our solution provides a secure way to streamline accounts payable workflows.
Photo source: MacEwan University