2017-12-05 00:00:00Tax ProfessionalEnglishHelp protect your business clients with these internal control measures to prevent phishing attacks and other cyber crimes.https://quickbooks.intuit.com/ca/resources/ca_qrc/uploads/2017/12/Consultants-Advising-About-Accounting-Internal-Controls.jpghttps://quickbooks.intuit.com/ca/resources/pro-taxes/accounting-internal-controls-against-phishing/Internal Accounting Controls to Help Foil Phishing

Internal Accounting Controls to Help Foil Phishing

3 min read

Phishing and other cyber crimes can pose a risk to any business that isn’t digitally secure. Phishing is a form of digital attack where a hacker attempts to gain access to bank accounts, credit cards, and other personal financial records by sending out emails that ask for information or contain computer viruses. As an accountant, get ahead of scammers by recommending these easy-to-implement internal controls to your business clients.

Have Clients Name an Authorized Contact Person

Make sure your clients have a designated contact person for each financial account. This person should be the only individual at your client’s company who has the authority to request changes to an existing contract, or to send invoices and payments. If the financial institution receives requests from anyone who is not that contact person, those requests should not be fulfilled until the contact person has approved them.

Reducing the number of people who have the authority to request changes and payments reduces the risk of a business falling victim to a phishing scam where a hacker poses as someone with the credentials for a particular account. The contact person’s identity should also be verifiable with information like a birth date and address, and through personalized security questions.

Make Changes to Contracts Over the Phone

When you’re discussing sensitive information with clients like account balances and contract changes, the phone is the way to go. It’s much harder for a scammer to impersonate a contact person over the phone, and phone conversations don’t usually leave a paper trail.

If one of your clients requests a change to an account, provide them with a phone number where they can contact you instead. Encourage your business clients to do the same with their own vendors and customers. Phone conversations are best conducted with someone in the company who is familiar with the contact person, or who is authorized to make changes to important accounts.

Implement Different Payment tiers

Different clients have different accounting needs. Small businesses have simpler needs than large businesses. For example, a distribution company with a relatively small number of vendors and clients requires strong transaction and information security. Managerial staff should directly handle the most important accounts, but lower-level customer service employees should be able to process relatively small, everyday transactions.

Recommend that large corporations have multiple communication tiers, levels to designate different contacts for clients with different needs. An architecture firm that has been contracted to design a building for an established business should not be communicating exclusively with bottom-tier customer service workers when dealing with invoices and contract agreements. In this case, any changes or requests should be processed through high-level management staff.

Send Receipts and Payment Confirmations

One very important recommendation to make to you clients is making it standard procedure to confirm payments. Whenever your client sends a payment to a business, the designated contact person should get an email or text confirmation that the payment was received. Your client’s business should return the favor by promptly sending receipts for payments received. This control may not prevent phishing outright, but it helps ensure that any fraud that does happen is caught early enough to prevent significant loss.

If a contact person receives confirmation that their invoice has been processed, but they do not receive an actual payment, they should know quite quickly that something has gone wrong. At this point, a business should contact their bank so that relevant accounts and records can be protected before any money disappears.

Encourage your business clients to use internal controls like these, along with basic security strategies like installing spam filters on emails, backing up contracts, and using safe credentials for allowing access to email accounts. These steps can ensure that the businesses you work with stay secure and fraud-free.

Information may be abridged and therefore incomplete. This document/information does not constitute, and should not be considered a substitute for, legal or financial advice. Each financial situation is different, the advice provided is intended to be general. Please contact your financial or legal advisors for information specific to your situation.

Related Articles

Understanding Limitations of Internal Controls

Internal controls help you keep your business operating smoothly and ensures that…

Read more

Coso Framework: Defining Internal Controls

If you own a business, it’s important to understand how to know…

Read more

Developing Internal Controls: Understanding ARC

Establishing internal controls is a way to make sure everything is operating…

Read more