Phishing and other cyber crimes can pose a risk to any business that isn’t digitally secure. Phishing is a form of digital attack where a hacker attempts to gain access to bank accounts, credit cards, and other personal financial records by sending out emails that ask for information or contain computer viruses. As an accountant, get ahead of scammers by recommending these easy-to-implement internal controls to your business clients.
Have Clients Name an Authorized Contact Person
Make sure your clients have a designated contact person for each financial account. This person should be the only individual at your client’s company who has the authority to request changes to an existing contract, or to send invoices and payments. If the financial institution receives requests from anyone who is not that contact person, those requests should not be fulfilled until the contact person has approved them.
Reducing the number of people who have the authority to request changes and payments reduces the risk of a business falling victim to a phishing scam where a hacker poses as someone with the credentials for a particular account. The contact person’s identity should also be verifiable with information like a birth date and address, and through personalized security questions.
Make Changes to Contracts Over the Phone
When you’re discussing sensitive information with clients like account balances and contract changes, the phone is the way to go. It’s much harder for a scammer to impersonate a contact person over the phone, and phone conversations don’t usually leave a paper trail.
If one of your clients requests a change to an account, provide them with a phone number where they can contact you instead. Encourage your business clients to do the same with their own vendors and customers. Phone conversations are best conducted with someone in the company who is familiar with the contact person, or who is authorized to make changes to important accounts.
Implement Different Payment tiers
Different clients have different accounting needs. Small businesses have simpler needs than large businesses. For example, a distribution company with a relatively small number of vendors and clients requires strong transaction and information security. Managerial staff should directly handle the most important accounts, but lower-level customer service employees should be able to process relatively small, everyday transactions.
Recommend that large corporations have multiple communication tiers, levels to designate different contacts for clients with different needs. An architecture firm that has been contracted to design a building for an established business should not be communicating exclusively with bottom-tier customer service workers when dealing with invoices and contract agreements. In this case, any changes or requests should be processed through high-level management staff.
Send Receipts and Payment Confirmations
One very important recommendation to make to you clients is making it standard procedure to confirm payments. Whenever your client sends a payment to a business, the designated contact person should get an email or text confirmation that the payment was received. Your client’s business should return the favor by promptly sending receipts for payments received. This control may not prevent phishing outright, but it helps ensure that any fraud that does happen is caught early enough to prevent significant loss.
If a contact person receives confirmation that their invoice has been processed, but they do not receive an actual payment, they should know quite quickly that something has gone wrong. At this point, a business should contact their bank so that relevant accounts and records can be protected before any money disappears.
Encourage your business clients to use internal controls like these, along with basic security strategies like installing spam filters on emails, backing up contracts, and using safe credentials for allowing access to email accounts. These steps can ensure that the businesses you work with stay secure and fraud-free.