Gone Phishing

“The boss needs gift cards… but keep it a secret!”

“Accounts Payable, send a wire to XYZ international company, ASAP!”

Do these lines sound familiar? If so, you or your company may have been one of the unlucky ones targeted by the latest in a long list of email fraud scams. Scammers are getting more creative all the time, and it is working for them. It seems like every day another email scam is popping up in the news, and in our inbox. While you will never be able to completely eliminate these scams from infiltrating your company, you can help your employees be more alert. Here are some tips to help you avoid being the next victim.

  1. Who sent the email? Hover your cursor over the sender’s email address to verify the sender, the true email address will pop up in a small window. Often spammers use bogus emails masked as legit emails to trick the recipient. Many times this is a first clue in identifying who the sender really is, or is not.
  2. Does the email sound like the sender? Bad grammar, misspellings, or writing differently than their norm indicates it may not be who you think.
  3. Was this message expected? If you get a request for some form of payment with a sense of urgency, does it follow the normal course of business or does it seem strange?
  4. If in doubt, check it out! Don’t reply to the email, instead pick up the phone and call the sender before you take any action. A reply will just serve to validate the email, opening you up as a target for future scams. We’ve seen several situations where simply calling the “sender” either prevented the fraud or would have prevented the fraud.
  5. Are there are any hyperlinks? You can hover over the link to see where they really point or, better still, type the website into the browser yourself. Never click on a link in an unsolicited email requesting personal information, passwords or financial data.
  6. Google it. If the request still seems too unfamiliar to be real, google it and see if it is a known scam. You may be surprised to learn you aren’t the only one that was targeted.
  7. Implement dual controls. Talk to your bank about including the requirement of a second individual’s approval prior to sending electronic payments. A second set of eyes can provide a layer of protection for the organization. This is particularly important on wire transfer requests. Assign someone to double check the wiring instructions (bank account numbers) and another person to then approve the wire itself.
  8. Standardize the payment process. The more standardized the AP process is, the easier it is to spot the oddball payment requests. If 99% of your payments are for invoices, an email requesting a wire or Western Union to Mali will stick out like a sore thumb. Additionally, if you also require some kind of expense report or check request for non-invoice payments, you should have more assurance that the request for gift cards is legitimate. Or not. But having backup for the payment other than an email is helpful in corroborating the legitimacy of the request.

The best thing you can do to avoid getting caught in an email scam is to educate and empower your employees. So often AP staff are trained to process the bills quickly. But with them on the front lines of knowing what “normal” activity looks like for your company, they have a lot of opportunities to head off unusual payment requests. Does the boss really need 20 $100 iTunes gift cards? If the request seems abnormal, encourage your people to speak up. You may save yourselves from being caught up in the middle of a fraud scam.

About the Author
Amanda Bullock is a consultant with Morrison, working primarily in our Business & Accounting Advisory practice. To get in touch with Amanda, please find contact information for Morrison here.


We’ve worked with a wide variety of clients on a broad range of projects and are happy to discuss solutions that can best fit your needs.

Get in Touch