“$1 million is missing from the bank account,” Kevin’s accountant said softly to him, glancing around to make sure no one is listening. “It looks like someone hacked the AP system and sent wire payments to China.” The news made Kevin’s stomach churn. As the company’s CFO, he knew the business was on the brink of insolvency and this might be a fatal blow. Of all the things that could have pushed them over the edge, he never imagined it would be hackers.
Kevin (name changed for anonymity) became a business turnaround client of ours forced into an expensive restructuring due to lack of IT oversight. His story is tragically common. Kevin was heads-down focused on business fundamentals: managing the pandemic, cost control, sales growth, cash shortfalls, etc. He was already working 80 hours per week keeping the company out of trouble — what time did he have to worry about hackers?
The Digitalization of Accounting
The original CFO was the head of the sprawling accounting department, managing hundreds of clerks in a command-and-control system. Their teams spent thousands of hours tallying paper records, using adding machines to aggregate figures, and recording transactions in server-based accounting systems. They were truly bean-counters, and their practice required hard work and discipline. The CFO controlled this department with expertise and authority.
How did a CFO prevent fraud? Consider vendor bill payments. When he started his career 25 years ago, Kevin controlled AP fraud by:
- Locking check stock in a vault or office with limited access.
- Requiring two signatures on checks.
- Requiring a three-way match on bills, receipts, and POs.
- Issuing discrete spending limits on all staff.
Two clerks worked every day matching up paperwork to meet Kevin’s tough requirements. And Kevin was the ultimate gatekeeper, literally holding the key to the room with check stock. But Kevin’s world was expensive and slow. Imagine the waste — college educated employees literally matching up pieces of paper, stapling them together, and moving them to someone else’s inbox. Day-in, day-out.
In the modern accounting world, cloud accounting software automates data collection through integrations. Transaction matching is performed instantly by A.I. The duties of a CFO are transitioning from managing people and equations to managing IT systems and access.
Kevin digitized his AP payment process five years ago, effectively eliminating one FTE and speeding up vendor payments by seven days. Now, his business does not have check stock. The locked room that used to hold check stock is now open and used as a break room.
Fraud Threats Outside the Accounting Department
Kevin’s old lock-and-key controls were designed to prevent internal fraud — employees (usually accountants) stealing from the company. Outsiders were hardly a threat since they could not get into the building, let alone the room with check stock. But the digital world is not so simple….
Kevin’s accountant, Joe, was traveling for work and had a three-hour layover at the Dallas airport. He logged into the airport Wi-Fi and used the time to catch up on emails and issue vendor payments. Little did Joe know that the Wi-Fi network, called “Free-DFW-Wifi,” was actually a farce — a hacker’s hotspot intended to lure in business travelers like Joe. Once connected, the hacker monitored 100 percent of Joe’s Web traffic, including his logins and passwords. A few weeks later, over $1 million had been wired out of the bank account using Joe’s stolen credentials.
The whole thing could have been avoided using a VPN connection or by teaching Joe to recognize common hacker scams. But Joe had neither the tools nor the knowledge and inadvertently gave away the key to the AP system.
Myths About Fraud That CFOs Tell Themselves
Hacker fraud is like a car accident — statistically unlikely to happen, but fatal if you are not wearing your seat belt. We get into our cars every day and put on our seat belts even though we do not expect to get in a crash. Likewise, a CFO should routinely invest time in IT security even though they do not expect to get in a crash.
Unfortunately, most CFOs act like Kevin and underestimate the risk of hacker fraud. This culture of ignorance is perpetuated by a series of myths CFOs tell themselves.
Myth: Hackers mostly target large corporations, not small businesses.
Fact: Over 55 percent of breaches occur at small businesses, 93 percent of which are financially motivated.
Myth: Hiring IT experts like managed service providers (MSPs) will ensure your company is protected.
Fact: Hiring a reputable MSP will not address your largest vulnerability: your employees. Also, keep in mind the recent Kaseya hack was perpetuated through MSP software.
Myth: “My company does not have valuable data like social security numbers, so we are not a target for hackers.”
Fact: Data theft is just one form of hacker crime. AP fraud is equally rampant and has nothing to do with personally identifiable data (PII).
Myth: “My IT team is managing security, so my CFO should stay focused on financials.”
Fact: Your IT team has no authority over AP payment systems — a common target for fraud.
How Good CFOs Manage Internet Fraud Risk
Here is the good news: When managed properly, cloud accounting and payment systems are actually more secure than traditional paper-based systems. But system security depends on proper setup and maintenance. How digitally literate is your CFO? Here are the best practices a CFO should be following to manage the risk of internet fraudsters:
Study fraud examples and educate staff. Empower your staff to identify fraud when they see it. CFOs should study hacker fraud schemes such as phishing, spear phishing, fake Wi-Fi systems, and fake vendor invoices. More important, they should hold regular employee trainings to share their knowledge.
Implement strong password management and 2FA. Generating strong, unique passwords with cellphone enabled two-factor authentication prevents vulnerabilities from spreading unchecked. Inexpensive software like Lastpass and 1password make this easy.
Implement a three-way match on AP systems. Too often, I see small businesses set up AP systems without proper checks and balances to avoid fraud. Consult your AP software’s website or a forensic accountant to make sure your software is properly set up.
When in doubt, pick up the phone. Hackers take advantage of our reliance on email. Chinese hackers used a simple email to trick toy maker Mattel into giving away $3 million. Before sending a wire, changing a vendor’s ACH info, or creating a new vendor file, it is best to pick up the phone and talk to someone to confirm the request.
Purchase the proper fraud and data theft insurance plan. Insurance can be a useful tool to offset theft expenses or partially recover lost money, but many insurance policies do not cover what you think they should. Work with your insurance broker to shop for the right coverage level.
A proactive CFO coupled with a strong IT team can keep your business one step ahead of the hackers. Keep your head out of the sand and take IT threats seriously, or you may find yourself filled with regret like Kevin.