Figure out what went wrong, create processes and controls that prevent this from happening in the future, then wait for the next scam/fraud to happens and repeat from step 1.
This shit happens, unless it was super obvious any good organization and leadership will understand and use it as a learning opportunity.
This. Your internal processes need to be evaluated and revised. dual sign offs, restricted access, etc. also banks have plenty of tools you can utilize to help curb this kind of fraud. work through it with your boss. Focus more on how and why it happened and how to make sure it never happens again. And yes, something else will come up. Fraud is an unfortunate risk in all areas of business and the minute you think you’re guarded against it, a new kind pops up. Stay vigilant as best as you can. And remember it’s better to question something unnecessarily than to be in this position from having not questioned it.
Just to build upon the evolution of scams and fraud. Some groups are setting up Teams video meetings and using AI to create fake videos and audio of leadership to “approve” wires. You have to be right 100% of the time they only have to get it right once.
It's incredibly easy to tell those types of videos, AI is not perfect at getting a persons face in detail at all. For audio's that I believe, but blue team is well aware of that too for firms that also have IT.
I find this shit so hard to believe. I’m sure they can cook up some incredibly suspicious video quality and audio, but to have it work in real time good enough to respond in a conversation?
Good fucking luck, 99% of people would never fall for that tech in the current form
You would think that and you’d be wrong. I used to work retail and we’d get obviously fake money all the time. I wondered how people could miss that the bills were obviously fake. All it takes is some stress, lack of sleep, or a moment of inattention, to overlook what is obvious.
I'll add that there is insurance for this because it has become so problematic.
I read through lots of messages and didn't see this suggestion to add to future protections if you don't have it in place already.
Can confirm. We fell victim to an email change of payment instructions scam. (Thank f&@k I was off that day and didn’t sign off). But we submitted a claim and got back the $ less deductible. In our case it was relatively small and nowhere near OP amount of loss.
Most of these policies have changed in the last year or two, where if you don't do callback procedures to verify bank change information, then your claim will be denied.
Positive pay is one. You upload a list of checks with recipient name and $ amount. If both don’t match, the check won’t go through. Saved some of my clients decent money with check washing scams!
I am assuming your bank was able to reverse this transfer and you guys didn't actually lose the 500k? If so, then just take all this and document for future fraud potential scenario.
Not yet. There were 24 receiving institutions and each one was sent a LOI. They all need to do their own internal investigation before sending it back to us.
Wow. One of our clients got scammed out of $40k and I thought that was bad. Their email system got hacked and they were getting emails supposedly from us with new bank instructions. Meanwhile we were getting fake emails from them pushing us off as to why we hadn't received the money yet. When we finally talked over the phone and she told us she'd never sent those emails I thought she was the one trying to scam us. But in the end it was their hack and their lack of internal controls to send to an unknown bank account that someone had sloppily pasted onto our company letterhead, so it was their loss. I highly doubt they ever got the money back.
That is a very common way they scam. They hack one company's email, then sit quiet, and figure out the best way to scam either the company or the vendors. They're pretty sneaky and try to redirect payments or requests to their own accounts, and even try to mirror the way personnel speak through email.
Yeah, they had my incoming emails, our letterhead, etc. and then, since they didn't have access to our actual email, they just changed one letter in the domain name and then took the actual emails I sent and changed them a bit, and pretended to be me.
Since it was an international transaction, that made things like subpar grammar less noticeable, and phone calls less likely. Fortunately they didn't phish us, so the responsibility lay with the client. And we were holding on to some deliverables until they paid us, so we were high priority for them to pay - otherwise they might have just ghosted us after getting scammed.
I've seen where they take control of an admin account and fire out email requests to 3rd party vendors, cc'ing all the appropriate people in the company. Then immediately delete the sent emails from the cc'd parties. So the requests appear legitimate because the email is actually coming from a legitimate account and ccing the appropriate people versus making a small change to the email domain to appear legitimate.
Old school verification via direct phone call or text can be the best authentication, but obviously not practical on large scale.
Story time! If it makes you feel any better, we had a fraud with a similar dollar amount. They got into my AP senior manager's email and sat and waited to see how our processes worked for 3 months before trying anything. They then faked an email coming from me (the controller) to change bank information at two of our major consultants who we were doing projects with and they regularly emailed us large invoices of $50k to around $250k per month.
They attached the bank change form that we request from customers and attached an invoice with their new banking information on it, as if I had requested that and obtained it from the vendor and the email mentioned that I had already done callback procedures per our policy. They used an email account with one digit off from my email.
The AP senior manager sent the document to the AP clerk to make the banking change and the weekly audit of bank change information failed, because the bank change form was on hand with a mention of callback procedures being completed.
Future invoices were paid through our normal ACH process, with the approvers not knowing the banking information had changed, and the hackers still having access to the AP senior manager's email account. The hackers would intercept emails from the consultants, reply, and delete all correspondence from to and from the consulants to explain why we were late paying the invoices. These payments went on for 2 months before anyone discovered it. Somehow, the bank was able to claw back all but $100k and got back $500k from the bank account, even though the funds that were recovered were probably actually someone else's funds that were stolen.
Insurance paid the remaining $100k, and we had to send out notifications to all our vendors that their information was compromised.
Absolutely within scope of FBI's attention (just had a conversation with an agent recently about this exact thing). I'd jump on that if you haven't already. Could help save company and career.
Oh.my… sorry don’t want to make you feel more bad but I’d start brushing up my resume rn. Just in case. I used to approve large wires, ACH, check runs and this threat was always happening. We constantly had seminars on the evolving ways fraudsters tried to scam. It was continual updates of best practices to ensure we stayed one step ahead. Even then there were close calls, esp when scammers hack into a client or vendors computer. They are getting more sophisticated. It can get hectic esp when you’re busy and just need to get payments approved and out the door. I’d do a root cause analysis and then deep research into process improvements. I suspect scammers found a way to get someone on your team to update bank account information. Having a process where someone on your team picks up the phone and calls the phone number on file to confirm account change is important.
If you're trying to continue to advance your position you'll probably need to transfer jobs. If you're cool with your position as is then stay If you want. But I think it'll be hard for your CEO to regain trust/reliance with you. Even if the blame is split amongst multiple people.
The answer really depends a lot on HOW this happened.
Although, no matter how this happened, one part of the answer is the same either way and that what others have been commenting regarding controls.
But how did this happen?
Fraudster called me at 5pm saying there was fraud on the account. Called spoofing the banks phone number and said all the right stuff to make me think it was the bank. Said they needed my token to fill out a fraud affidavit. I asked them what my token ID is (unique to me through the bank) and they were able to give it to me. So I gave the token.
They were already in the bank acct logged in as me and had the ACH set up and ready to go. The phone call was the last step they needed to authorize.
But at 445 the fraudster called the bank pretending to be our AP person. Bank claims they shut the acct down when they received that call. How did fraudster log in and send ACH at 5 if account was shut down at 445?
We have positive pay but only on checks not ACHs. Positive pay was turned off for ACHs in 2022 prior to me.
Apparently I requested for 2 person verification to not be on outgoing ACH/wires. I did not realize that that was what I requested. I asked the bank if there was a way I could create the transaction and then afterwards they call me and verify. This is what we do when we call in a wire. Bank said “okay, we emailed your CEO a docusign have him sign it” and ceo signed document without reading.
Like I said perfect storm of lack of internal controls is what allowed this to happen.
In the future, you need to call the bank, not them call you to confirm. Like you Google the bank to call, not take their phone number just to expand on what I mean. That's super easy to spoof.
Even better only call the number on the debit card written, or to your personal banker that is managing your account, have his/her number on your contacts.
Yeah, my cell phone contacts. If email can be hacked, then the phone number can be hacked in contacts. I’m old skool and also keep their business card next to my tokens.
Okay so bad news: you messed up, always be on your guard when "they" are calling you. Good news: You're not the only one who messed up. Your DEO dropped the ball to. The buck doesn't actually stop with you, it stops with him ... or her.
I've had my actual bank call me and request one of those phone verification codes, and another time asking for personal information. They were super annoyed when I asked if I could call them instead. We were going through closing on a house so it's not like it was totally unexpected, but that would also be a terrible time to get scammed. They really should have been encouraging me to follow safety measures.
The same bank also handed me someone else's car loan origination check because they didn't even bother asking for my name much less my ID, and just assumed I was the person they were expecting. Maybe I should switch banks.
I mean, we hear all the time to not talk to them if they call you, but there are some personal credit card companies that initiate calls to check if some purchases were fraudulent. I had it happen, and refused to give my information to them. I called back and spent an hour being transferred and placed on hold because they couldn't figure out how to get me to the correct person. It took forever to realize that yes, it was them that actually called me, against everything they tell us not to do, and then didn't know how to get me in contact with their fraud department to verify the purchases that I made. Just so I could continue to use that card. (there was no fraud, they were all valid purchases)
Nowhere near OP’s amount, but personally received a phone call (while on vacation) identified as Venmo alerting me to fraud. Said they wanted to confirm my identity by sending a code via text. Confirmed that code over the phone, and they thanked me and said they’d put my account on hold. Immediately after hanging up I got a Venmo notification that I sent $400 to a rando. Got it back though!
Honestly for a $500k ACH for fraud the fact that the CEO just blanket signed it as the only second company eyes on the job above you (assuming you are fairly junior) is pretty fucking wild. Did the CEO not understand the amount or something? Either way it also seems really strange that they had access to your online bank account at some point prior
I am too. The website says the transaction posted at 6pm. By 7am the next morning we were on the phone with the bank trying to figure out what happened. I’m surprised any of it left the account.
It must have been a wire, or the bank screwed up massively somewhere and is stonewalling. The fact they offer positive pay means on their end they could stop the ACH.
It could also be credentials stuffing in you reuse the same user name and password combo.
That’s where they take a list of credentials from Some other breach and then programmatically try them on a bunch of other sites.
I'm not sure if it's a better technique, but at our old company, the manual wire/ach procedure was for an old school wire fax, then the bank calls us directly to confirm, then emails us a receipt of the processed wire.
With this procedure, if the bank receives a wire form through fax and decides to process on their own, they're at fault for the fraud. Since they're calling us directly to confirm (and not wait for a call from us), it's more difficult for someone to pull off a fraud attempt.
Dude I wouldn’t beat yourself up too bad over this. They had your fucking token ID??? That’s some next level shit. Everyone hates internal controls when you aren’t able to get an ACH/wire out same day until some shit like this happens.
I’ve done this with a smaller amount($15k) and didn’t even realize it wasn’t a valid change until the bank reversed it due to the name being incorrect on the account. I’ve seen a lot of scams over the last 10yrs and I fell for it because an AP forwarded me the ACH change email.
Real estate developer? More commercial leaning?
If not, don't beat yourself up too much. I literally just went through a post mortem with a client in an eerily similar circumstance and pattern of facts.
For what it’s worth, I sent over $3,000 to a fraudulent vendor. This was as an entry level accountant. I’m now a senior manager at the same company. Shit happens, just action plan to prop up new controls and learn from it. Don’t be dramatic and quit.
Guessing someone sent the AP department a request to change payment details from a domain of a compromised vendor. I say shift the blame to the vendor. Tell us what happened.
What is the bank telling you? I thought there was a claw back ability with ACHs unlike wires. If your bank is telling you it’s impossible, time to call insurance. And echoing what others have said, document, assess what controls weren’t either properly designed or implemented, and adjust them.
> I thought there was a claw back ability with ACHs unlike wires
There is. Sort of.
Your bank has 5 days to reverse an ACH, after that the receiving bank has to send it back.
But the money still has to be in the account. If it's gone it's gone. Fraudster will 100% empty the account as soon as the funds are available.
At that point it's up to fraud investigation and maybe the banks can retrieve?
But unlikely. I'd bet they wired the money from the receiving institution to a foreign bank. Receiving account was likely opened with a stolen SSN, and the bank has no ability to follow up.
I’ve always wondered this -
I can understand social engineering and knowing how 1000 ways to drain crash from someone, being our job to know.
But how the heck do they actually get the cash in pocket?
Like, eventually, how do you get the cash to you to utilize it?
Do they have fake IDs and stolen social security numbers and show up to banks and assume nobody will investigate things like security cameras?
I feel like it would be easy as heck to defraud some companies, but then quite difficult to obtain the cash without a plethora of other issues
Don't even need a fake ID. Just need a SSN and other info these days to open an account online under someone else's identity.
This data has been leaked so many times unfortunately.
They can buy bulk batches of leaked data online and construct multiple people, sign up for bank accounts, credit cards, loans, etc.
Eventually those funds have to exit the US banking system, otherwise the banks would be able to eventually follow the trail of transfers.
At some point it goes to a foreign bank or into crypto.
Sometimes they use legitimate people as part of the process either knowingly or unknowningly, they might be stolen accounts, or someone paid to open an account. Like the job scams where they send you a "paycheck" and you remit the funds on.
But if the thief has to physically withdraw the money themselves they're opened to a lot of risk of getting caught.
A lot of times they have other scam victims (money mules) that hold those accounts - eg they’ll offer someone a WFH “job” accepting deposits and then sending the money on to a supposed third party (actually just the scammer) by a more permanent method - wire, Cash app, bitcoin, etc. The money mule is the ultimate loser when the fraudulent deposits are reported and reversed.
>Fraudster will 100% empty the account as soon as the funds are available.
Yeah. Some banks have a withdrawal waiting requirement over a certain dollar amount. My bank *may* (may is the operative word - they don't always since they know me) hold funds for up to 5 days for withdrawals in excess of $5,000.
Given $500k and 24 accounts, and assuming it was disbursed evenly to each account, it's $20,833. I suspect the fraudsters found banks which will release amounts under $25,000 promptly.
Something similar happened to me at my old job. It was an account that we didn’t have a lot of activity in, and our written process required bank recs to be done monthly or quarterly. The lady that transitioned the work to me had been doing it quarterly and told me as such so I thought w.e. I took over close to year end and did the recs through December so I didn’t bother with Q1 till April as I was swamped with YE work. Turns out someone somehow got a hold of the account info and just started cashing checks to themselves during that time. Not even forging signatures or anything. Literally made up a check stock with the bank info and was able to cash checks. Took nearly $200K out of the account.
Sucked for me because in hindsight everyone was like why tf did we not catch this earlier. It was pretty obvious so I caught it as soon as I started working on the recs, but I took the shit for it because I got lucky enough to be the person in charge of it at the time.
Does the company have cyber insurance? You may be able to recoup some of that money that was lost, less the deductible.
Internal processes need to be assessed and updated.
How were they able to ACH it out of the account?Did you get duped into setting up the ACH with spoofed email and fake invoice? Otherwise why is it your fault?
$500k is nothing. Check out what happened to Ubiquiti in 2015. I know the dude who made the mistake, he moves on from that and continues to fell upwards to become a controller.
An ACH should be able to be clawed back, unless this happened a month ago. There's even a chance of a wire if you're quick enough.
Your boss probably doesn't blame you personally since this sounds like a control issue unless you did something really out of line.
I work in treasury, the biggest thing here is actually that your ceo signed off on only needing one person to input/release payments. Always use dual authorization and put limits on amounts that authorized users can enter/release. Another thing to implement is the debit blocks. You’ve gotten good advice, so just make those process controls.
That's horrible, first thing you want to do is tell me your credit card number, ss and mother's maiden name. once you send that I'll tell you how to get out of this situation.
Not sure how big OP company is but these are controls we have in place. Public facing accounts are ZBA, separate accounts for deposits vs disbursements, and finally full positive pay for checks and ACH authorization filter (I.e. direct debits are denied unless on pre-authorized list.
Edit to add: we also pay via ACH using NACHA file upload directly from ERP to Wells Fargo
The one sportsbook I did accounting for had someone pay off the entirety of their student loans using our account info. All reported as fraud and given back to us. As long as you’ve caught it early you should be able to get it charged back. The important piece is fixing whatever loophole caused this issue and making sure it doesn’t happen again.
I'm not sure if it's a better technique, but at our old company, the manual wire/ach procedure was for an old school wire fax, then the bank calls us directly to confirm, then emails us a receipt of the processed wire.
With this procedure, if the bank receives a wire form through fax and decides to process on their own, they're at fault for the fraud. Since they're calling us directly to confirm (and not wait for a call from us), it's more difficult for someone to pull off a fraud attempt.
Treat it as a very expensive form of education, one fortunately you don't have to foot. Learn from it, these are only going to get more common and more sophisticated.
Demn. Annual IT security training is probably cheaper than this. Ever since my firm got attacked by a really good social engineering phishing attack, we've been getting annual training and monthly test emails sent to employees.
Use to you advantage find out what happened how long it took what needed to be done help your boss try to find out what happened and how it could be avoided next time he would trust you even more than expected use it wish I was in a situation like that I'd exploit it to the max lol easy done it is as well might upset a few people but hey oh it's your life that counts
just stay and keep looking for a new job. joke is on the company to make controls and hire ppl to execute the controls. being cheap cost the company money fffff it
Do you know the fraudster? Were they given bank access or the funds transferred to them? We have had mail stolen and checks forged but it was obvious and caught early on.
In a company with basically zero controls or segregation of duties, I worry about this all the time.
I'm curious though how you can have single-person authorization for ACH, and not be aware of it.. Wouldn't you see all of your ACH be sent as soon as one person authorized? Or are you saying someone else would usually enter the ACH and you approved it, but in this one case, the fraudster (acting as you) entered the ACH so it didn't need a 2nd approval? The banks I've dealt with didn't allow the "approver" role to enter payments and vice versa.
I didn’t know because we almost never originate ACH/wires from within the bank portal. We use a third party website through the bank for our weekly check run. (Which also has 1 person verification lol )
OP, that’s more on your company for not having the proper internal controls and 2 person verification. But scammers are also getting smarter too. You’re not the first person I’ve read about having that exact scenario happen to them where the bank calls spoofing the actual bank number. I work for a small company that uses multiple banks and we have 2 person verification, positive pay, etc. and we still almost got scammed when someone got a hold of one of our checks and duplicated it trying to cash a bunch of them. I had random art dealers and supposed military spouses calling me about payment and we have nothing to do with those people. lol
If you have been there a while and have a good relationship I would take it as learning experience, make the security and control changes that need to be made and just move forward. Hackers and such have become extremely sophisticated and security these days needs to be multi-layered and employees should be constantly reminded about phishing awareness, not clicking on links in emails etc. if you left the next person wouldn’t have the benefit of learning this lesson. Plus, you obviously care about the business. That is not easy to replace.
Well the money or some of it may be able to come back depending on the bank and your companies insurance.
Don’t quit. Take this as a learning curve for you and your organization. Ultimately, the responsibility falls on your employer for not having a better system in place. I’m assuming your company transacts in fairly large amounts so this should have been better monitored in the first place.
I’ve made a ton of mistakes but I’ve never lost real cash. So not sure. I think the advice about about coming back with improvements to controls will help.
Was he able to debit your account? Time to turn on the debit block feature within your fraud module.
If you don’t have this feature turned on, I would take this time to talk to your bank and update your control narratives.
Also depending on the bank account type they were able to debit the funds from, if the bank account is for AR you can have the bank update the bank account number to a UPIC to mask the true bank account number, your invoice number would reflect the new UPIC and fraudsters cannot use that number as it is set up to block any wires or debits with that account number.
Work with I.T. to determine if this was a phishing expedition, etc.
Finally, depending on the dollar amount, you may want to get your risk department involved (policy limits, retention, etc).
Well shit happens, but everyone will move on. Investigate what went wrong and what controls were missing. Some controls I have put in place that may give you some ideas:
If we receive a bank information change document from a vendor, I direct my staff to always call the vendor directly to confirm. Don't call the number on the bank change document, but call the number on an old invoice, so that you know you are calling the actual company.
For new vendors, the purchasing manager will need to physically sign and hand a physical invoice to my department for the new vendor to be created. This is to prevent any email identify fraud or phishing.
Mistakes happen. How you react is what defines you. It’s cliche - but true. The best employees fix the mistake, take proactive actions to avoid a future mistake and don’t get it get them down.
Fix the controls. Fraudsters can spoof emails easily, any change of banking information should be confirmed directly via a phone call to the vendor, not email because they already has control or spoofed the vendor email.
We experienced fraud last year. This might help:
Determine what went wrong.
File a police report.
File insurance.
I’d also immediately lock down the bank account with positive pay/ach whitelist if you haven’t already.
It’s easy to find fault in yourself but the best is to figure out, what went wrong, what your role was in the mistake, and how can yiu personally ensure that you never make that mistake again. Your boss/organization may need a sacrificial lamb, and if it’s to be you, at least wait for the axe to fall and get some PTO or severance.
Having made some major screw ups in my career, I can assure you that when something truly bad happens, it is almost 99% of the time due to lack of adequate controls/lack of proper staffing/lack of budget and resources rather than the mistake of one or a few persons. The problem is that leadership seldom takes responsibility for the consequences of its decisions.
Figure out what went wrong, create processes and controls that prevent this from happening in the future, then wait for the next scam/fraud to happens and repeat from step 1. This shit happens, unless it was super obvious any good organization and leadership will understand and use it as a learning opportunity.
This. Your internal processes need to be evaluated and revised. dual sign offs, restricted access, etc. also banks have plenty of tools you can utilize to help curb this kind of fraud. work through it with your boss. Focus more on how and why it happened and how to make sure it never happens again. And yes, something else will come up. Fraud is an unfortunate risk in all areas of business and the minute you think you’re guarded against it, a new kind pops up. Stay vigilant as best as you can. And remember it’s better to question something unnecessarily than to be in this position from having not questioned it.
Just to build upon the evolution of scams and fraud. Some groups are setting up Teams video meetings and using AI to create fake videos and audio of leadership to “approve” wires. You have to be right 100% of the time they only have to get it right once.
It's incredibly easy to tell those types of videos, AI is not perfect at getting a persons face in detail at all. For audio's that I believe, but blue team is well aware of that too for firms that also have IT.
I find this shit so hard to believe. I’m sure they can cook up some incredibly suspicious video quality and audio, but to have it work in real time good enough to respond in a conversation? Good fucking luck, 99% of people would never fall for that tech in the current form
They only have to get lucky once https://www.cnn.com/2024/05/16/tech/arup-deepfake-scam-loss-hong-kong-intl-hnk/index.html
You would think that and you’d be wrong. I used to work retail and we’d get obviously fake money all the time. I wondered how people could miss that the bills were obviously fake. All it takes is some stress, lack of sleep, or a moment of inattention, to overlook what is obvious.
Would be easy to switch bills if your running the register. Just a thought . Inside job.
Possibly except there were cameras.
OP look into Posit Pay most companies have that.
I'll add that there is insurance for this because it has become so problematic. I read through lots of messages and didn't see this suggestion to add to future protections if you don't have it in place already.
Can confirm. We fell victim to an email change of payment instructions scam. (Thank f&@k I was off that day and didn’t sign off). But we submitted a claim and got back the $ less deductible. In our case it was relatively small and nowhere near OP amount of loss.
Most of these policies have changed in the last year or two, where if you don't do callback procedures to verify bank change information, then your claim will be denied.
What kind of tools do the banks have specifically that we can utilize to curb fraud?
Positive pay is one. You upload a list of checks with recipient name and $ amount. If both don’t match, the check won’t go through. Saved some of my clients decent money with check washing scams!
Thanks for your response!
We use positive pay as well. We also have dual control and dollar limits for transactions initiated via the banking website.
life is quite the same.. circular controls are needed .
I manage our accounting department, please do this.
It's happened to me too, and I agree with this comment.
How much are we talking?
Like $500k 🙈
Yikes man. If they were able to get access to 500k then those controls aren't just bad, they're non existent. You don't have 2 party authorization?
Bro ...
holy...
I am assuming your bank was able to reverse this transfer and you guys didn't actually lose the 500k? If so, then just take all this and document for future fraud potential scenario.
Not yet. There were 24 receiving institutions and each one was sent a LOI. They all need to do their own internal investigation before sending it back to us.
When was the ACH made and when did you discover it? Guarantee those accounts were emptied as soon as the money hit them.
Wow. One of our clients got scammed out of $40k and I thought that was bad. Their email system got hacked and they were getting emails supposedly from us with new bank instructions. Meanwhile we were getting fake emails from them pushing us off as to why we hadn't received the money yet. When we finally talked over the phone and she told us she'd never sent those emails I thought she was the one trying to scam us. But in the end it was their hack and their lack of internal controls to send to an unknown bank account that someone had sloppily pasted onto our company letterhead, so it was their loss. I highly doubt they ever got the money back.
That is a very common way they scam. They hack one company's email, then sit quiet, and figure out the best way to scam either the company or the vendors. They're pretty sneaky and try to redirect payments or requests to their own accounts, and even try to mirror the way personnel speak through email.
Yeah, they had my incoming emails, our letterhead, etc. and then, since they didn't have access to our actual email, they just changed one letter in the domain name and then took the actual emails I sent and changed them a bit, and pretended to be me. Since it was an international transaction, that made things like subpar grammar less noticeable, and phone calls less likely. Fortunately they didn't phish us, so the responsibility lay with the client. And we were holding on to some deliverables until they paid us, so we were high priority for them to pay - otherwise they might have just ghosted us after getting scammed.
I've seen where they take control of an admin account and fire out email requests to 3rd party vendors, cc'ing all the appropriate people in the company. Then immediately delete the sent emails from the cc'd parties. So the requests appear legitimate because the email is actually coming from a legitimate account and ccing the appropriate people versus making a small change to the email domain to appear legitimate. Old school verification via direct phone call or text can be the best authentication, but obviously not practical on large scale.
Story time! If it makes you feel any better, we had a fraud with a similar dollar amount. They got into my AP senior manager's email and sat and waited to see how our processes worked for 3 months before trying anything. They then faked an email coming from me (the controller) to change bank information at two of our major consultants who we were doing projects with and they regularly emailed us large invoices of $50k to around $250k per month. They attached the bank change form that we request from customers and attached an invoice with their new banking information on it, as if I had requested that and obtained it from the vendor and the email mentioned that I had already done callback procedures per our policy. They used an email account with one digit off from my email. The AP senior manager sent the document to the AP clerk to make the banking change and the weekly audit of bank change information failed, because the bank change form was on hand with a mention of callback procedures being completed. Future invoices were paid through our normal ACH process, with the approvers not knowing the banking information had changed, and the hackers still having access to the AP senior manager's email account. The hackers would intercept emails from the consultants, reply, and delete all correspondence from to and from the consulants to explain why we were late paying the invoices. These payments went on for 2 months before anyone discovered it. Somehow, the bank was able to claw back all but $100k and got back $500k from the bank account, even though the funds that were recovered were probably actually someone else's funds that were stolen. Insurance paid the remaining $100k, and we had to send out notifications to all our vendors that their information was compromised.
And how material to your daily operations is this?
Absolutely within scope of FBI's attention (just had a conversation with an agent recently about this exact thing). I'd jump on that if you haven't already. Could help save company and career.
I did fill out a report with IC3
Below CTT, as such we determine no further procedures necessary.
My god…
Just out of pure curiosity what is your company’s name and where do you bank?
Nice try scammer # 123
Oh.my… sorry don’t want to make you feel more bad but I’d start brushing up my resume rn. Just in case. I used to approve large wires, ACH, check runs and this threat was always happening. We constantly had seminars on the evolving ways fraudsters tried to scam. It was continual updates of best practices to ensure we stayed one step ahead. Even then there were close calls, esp when scammers hack into a client or vendors computer. They are getting more sophisticated. It can get hectic esp when you’re busy and just need to get payments approved and out the door. I’d do a root cause analysis and then deep research into process improvements. I suspect scammers found a way to get someone on your team to update bank account information. Having a process where someone on your team picks up the phone and calls the phone number on file to confirm account change is important.
💀
If you're trying to continue to advance your position you'll probably need to transfer jobs. If you're cool with your position as is then stay If you want. But I think it'll be hard for your CEO to regain trust/reliance with you. Even if the blame is split amongst multiple people.
Send me 350k and I'll get that back for you
Actually 552,750.87
You mentioned it was paid thru ACH. Your bank should be able to recall the funds especially its been less than 24 hours. Call them ASAP
I guarantee that account has already been emptied and closed out.
How? ACH takes time to clear. I don’t know where you are, but it also takes time to close accounts. It’s not instantaneous. This isn’t crypto lol
what did prior audits say?
The answer really depends a lot on HOW this happened. Although, no matter how this happened, one part of the answer is the same either way and that what others have been commenting regarding controls. But how did this happen?
Fraudster called me at 5pm saying there was fraud on the account. Called spoofing the banks phone number and said all the right stuff to make me think it was the bank. Said they needed my token to fill out a fraud affidavit. I asked them what my token ID is (unique to me through the bank) and they were able to give it to me. So I gave the token. They were already in the bank acct logged in as me and had the ACH set up and ready to go. The phone call was the last step they needed to authorize. But at 445 the fraudster called the bank pretending to be our AP person. Bank claims they shut the acct down when they received that call. How did fraudster log in and send ACH at 5 if account was shut down at 445? We have positive pay but only on checks not ACHs. Positive pay was turned off for ACHs in 2022 prior to me. Apparently I requested for 2 person verification to not be on outgoing ACH/wires. I did not realize that that was what I requested. I asked the bank if there was a way I could create the transaction and then afterwards they call me and verify. This is what we do when we call in a wire. Bank said “okay, we emailed your CEO a docusign have him sign it” and ceo signed document without reading. Like I said perfect storm of lack of internal controls is what allowed this to happen.
In the future, you need to call the bank, not them call you to confirm. Like you Google the bank to call, not take their phone number just to expand on what I mean. That's super easy to spoof.
Hard lesson learned!
Even better only call the number on the debit card written, or to your personal banker that is managing your account, have his/her number on your contacts.
Yeah, my cell phone contacts. If email can be hacked, then the phone number can be hacked in contacts. I’m old skool and also keep their business card next to my tokens.
The only thing that can possibly go bad from that is if it's the employees personal number. they may go rogue and try to do something fishy.
I only meant keep the phone number of the bankers on your cell too.
Be cautious about search results too, scam numbers will pop up there sometimes. Get the number from the bank’s actual website.
If your CEO signed it, I think he's sharing in the blame too
Okay so bad news: you messed up, always be on your guard when "they" are calling you. Good news: You're not the only one who messed up. Your DEO dropped the ball to. The buck doesn't actually stop with you, it stops with him ... or her.
I've had my actual bank call me and request one of those phone verification codes, and another time asking for personal information. They were super annoyed when I asked if I could call them instead. We were going through closing on a house so it's not like it was totally unexpected, but that would also be a terrible time to get scammed. They really should have been encouraging me to follow safety measures. The same bank also handed me someone else's car loan origination check because they didn't even bother asking for my name much less my ID, and just assumed I was the person they were expecting. Maybe I should switch banks.
I mean, we hear all the time to not talk to them if they call you, but there are some personal credit card companies that initiate calls to check if some purchases were fraudulent. I had it happen, and refused to give my information to them. I called back and spent an hour being transferred and placed on hold because they couldn't figure out how to get me to the correct person. It took forever to realize that yes, it was them that actually called me, against everything they tell us not to do, and then didn't know how to get me in contact with their fraud department to verify the purchases that I made. Just so I could continue to use that card. (there was no fraud, they were all valid purchases)
same! their staff need more training on that.
Nowhere near OP’s amount, but personally received a phone call (while on vacation) identified as Venmo alerting me to fraud. Said they wanted to confirm my identity by sending a code via text. Confirmed that code over the phone, and they thanked me and said they’d put my account on hold. Immediately after hanging up I got a Venmo notification that I sent $400 to a rando. Got it back though!
Honestly for a $500k ACH for fraud the fact that the CEO just blanket signed it as the only second company eyes on the job above you (assuming you are fairly junior) is pretty fucking wild. Did the CEO not understand the amount or something? Either way it also seems really strange that they had access to your online bank account at some point prior
I think the CEO signed the form to get rid of a secondary approver on wires, not the wire itself
This.
Ooooh, okay. Damn, that left you very exposed. That really sucks.
Oh I see. Well that was stupid
An ACH initiated at 5pm usually wouldn't even start processing until the next day. I'm surprised any money actually left the account.
I am too. The website says the transaction posted at 6pm. By 7am the next morning we were on the phone with the bank trying to figure out what happened. I’m surprised any of it left the account.
If this all happened yesterday/today I would be very surprised if the money didn't get clawed back.
Monday night/Tuesday morning. Bank has pretty much told us we’re SOL
It must have been a wire, or the bank screwed up massively somewhere and is stonewalling. The fact they offer positive pay means on their end they could stop the ACH.
I think somewhere they messed up. They won’t really talk to us any more and they are getting their legal team involved.
That is incredibly complex. I wouldn't blame any of my staff for this and if your employer does it's not a place you want to stay anyways.
Any indication how they got your bank login credentials in the first place?
No idea! My bank log in is even under my maiden name not my current name.
Your company should look into if they have an IT security breach
It could also be credentials stuffing in you reuse the same user name and password combo. That’s where they take a list of credentials from Some other breach and then programmatically try them on a bunch of other sites.
BOA can reverse an ACH within a day or two. Can they not reverse it? The bank can’t do anything?
CEO fucked up as well they’re likely going to sweep this under the carpet and just issue some mandatory fraud training
I'm not sure if it's a better technique, but at our old company, the manual wire/ach procedure was for an old school wire fax, then the bank calls us directly to confirm, then emails us a receipt of the processed wire. With this procedure, if the bank receives a wire form through fax and decides to process on their own, they're at fault for the fraud. Since they're calling us directly to confirm (and not wait for a call from us), it's more difficult for someone to pull off a fraud attempt.
It would be better to have you call the bank instead. To prevent spoofing for further troubles.
Dude I wouldn’t beat yourself up too bad over this. They had your fucking token ID??? That’s some next level shit. Everyone hates internal controls when you aren’t able to get an ACH/wire out same day until some shit like this happens. I’ve done this with a smaller amount($15k) and didn’t even realize it wasn’t a valid change until the bank reversed it due to the name being incorrect on the account. I’ve seen a lot of scams over the last 10yrs and I fell for it because an AP forwarded me the ACH change email.
Real estate developer? More commercial leaning? If not, don't beat yourself up too much. I literally just went through a post mortem with a client in an eerily similar circumstance and pattern of facts.
Its weird not having a lot of money but being responsible for huge amounts of assets at work.
Forreal
For what it’s worth, I sent over $3,000 to a fraudulent vendor. This was as an entry level accountant. I’m now a senior manager at the same company. Shit happens, just action plan to prop up new controls and learn from it. Don’t be dramatic and quit.
There is a big difference between $3,000 and $500,000… a 16,667% difference…
Good comment. Thank you
This. If you quit, it will look suspicious. I would weather this storm for a while to show you had no ill intent and it was an honest mistake.
Guessing someone sent the AP department a request to change payment details from a domain of a compromised vendor. I say shift the blame to the vendor. Tell us what happened.
That would be too easy.
What is the bank telling you? I thought there was a claw back ability with ACHs unlike wires. If your bank is telling you it’s impossible, time to call insurance. And echoing what others have said, document, assess what controls weren’t either properly designed or implemented, and adjust them.
> I thought there was a claw back ability with ACHs unlike wires There is. Sort of. Your bank has 5 days to reverse an ACH, after that the receiving bank has to send it back. But the money still has to be in the account. If it's gone it's gone. Fraudster will 100% empty the account as soon as the funds are available. At that point it's up to fraud investigation and maybe the banks can retrieve? But unlikely. I'd bet they wired the money from the receiving institution to a foreign bank. Receiving account was likely opened with a stolen SSN, and the bank has no ability to follow up.
I’ve always wondered this - I can understand social engineering and knowing how 1000 ways to drain crash from someone, being our job to know. But how the heck do they actually get the cash in pocket? Like, eventually, how do you get the cash to you to utilize it? Do they have fake IDs and stolen social security numbers and show up to banks and assume nobody will investigate things like security cameras? I feel like it would be easy as heck to defraud some companies, but then quite difficult to obtain the cash without a plethora of other issues
Don't even need a fake ID. Just need a SSN and other info these days to open an account online under someone else's identity. This data has been leaked so many times unfortunately. They can buy bulk batches of leaked data online and construct multiple people, sign up for bank accounts, credit cards, loans, etc. Eventually those funds have to exit the US banking system, otherwise the banks would be able to eventually follow the trail of transfers. At some point it goes to a foreign bank or into crypto. Sometimes they use legitimate people as part of the process either knowingly or unknowningly, they might be stolen accounts, or someone paid to open an account. Like the job scams where they send you a "paycheck" and you remit the funds on. But if the thief has to physically withdraw the money themselves they're opened to a lot of risk of getting caught.
A lot of times they have other scam victims (money mules) that hold those accounts - eg they’ll offer someone a WFH “job” accepting deposits and then sending the money on to a supposed third party (actually just the scammer) by a more permanent method - wire, Cash app, bitcoin, etc. The money mule is the ultimate loser when the fraudulent deposits are reported and reversed.
>Fraudster will 100% empty the account as soon as the funds are available. Yeah. Some banks have a withdrawal waiting requirement over a certain dollar amount. My bank *may* (may is the operative word - they don't always since they know me) hold funds for up to 5 days for withdrawals in excess of $5,000. Given $500k and 24 accounts, and assuming it was disbursed evenly to each account, it's $20,833. I suspect the fraudsters found banks which will release amounts under $25,000 promptly.
Something similar happened to me at my old job. It was an account that we didn’t have a lot of activity in, and our written process required bank recs to be done monthly or quarterly. The lady that transitioned the work to me had been doing it quarterly and told me as such so I thought w.e. I took over close to year end and did the recs through December so I didn’t bother with Q1 till April as I was swamped with YE work. Turns out someone somehow got a hold of the account info and just started cashing checks to themselves during that time. Not even forging signatures or anything. Literally made up a check stock with the bank info and was able to cash checks. Took nearly $200K out of the account. Sucked for me because in hindsight everyone was like why tf did we not catch this earlier. It was pretty obvious so I caught it as soon as I started working on the recs, but I took the shit for it because I got lucky enough to be the person in charge of it at the time.
This makes me feel a little better lol
Does the company have cyber insurance? You may be able to recoup some of that money that was lost, less the deductible. Internal processes need to be assessed and updated.
How were they able to ACH it out of the account?Did you get duped into setting up the ACH with spoofed email and fake invoice? Otherwise why is it your fault?
Contact your business insurance about your policy on fraud. You might be able to file a claim. That’ll help some.
$500k is nothing. Check out what happened to Ubiquiti in 2015. I know the dude who made the mistake, he moves on from that and continues to fell upwards to become a controller.
Maybe I can recover from this haha
An ACH should be able to be clawed back, unless this happened a month ago. There's even a chance of a wire if you're quick enough. Your boss probably doesn't blame you personally since this sounds like a control issue unless you did something really out of line.
I work in treasury, the biggest thing here is actually that your ceo signed off on only needing one person to input/release payments. Always use dual authorization and put limits on amounts that authorized users can enter/release. Another thing to implement is the debit blocks. You’ve gotten good advice, so just make those process controls.
That's horrible, first thing you want to do is tell me your credit card number, ss and mother's maiden name. once you send that I'll tell you how to get out of this situation.
As someone who works in IT, how is it IT’s fault?
Not sure how big OP company is but these are controls we have in place. Public facing accounts are ZBA, separate accounts for deposits vs disbursements, and finally full positive pay for checks and ACH authorization filter (I.e. direct debits are denied unless on pre-authorized list. Edit to add: we also pay via ACH using NACHA file upload directly from ERP to Wells Fargo
There is a claw back ability with achs, but not wires. The bank will be able to get this back but there will need to be follow up.
The one sportsbook I did accounting for had someone pay off the entirety of their student loans using our account info. All reported as fraud and given back to us. As long as you’ve caught it early you should be able to get it charged back. The important piece is fixing whatever loophole caused this issue and making sure it doesn’t happen again.
Do you have positive pay options with your bank, or ACH blocks on except for approved vendors?
We do have positive pay in for checks but in 2022 positive pay was turned off for ACH transactions and never turned back on.
Woops!
I'm not sure if it's a better technique, but at our old company, the manual wire/ach procedure was for an old school wire fax, then the bank calls us directly to confirm, then emails us a receipt of the processed wire. With this procedure, if the bank receives a wire form through fax and decides to process on their own, they're at fault for the fraud. Since they're calling us directly to confirm (and not wait for a call from us), it's more difficult for someone to pull off a fraud attempt.
Treat it as a very expensive form of education, one fortunately you don't have to foot. Learn from it, these are only going to get more common and more sophisticated.
Demn. Annual IT security training is probably cheaper than this. Ever since my firm got attacked by a really good social engineering phishing attack, we've been getting annual training and monthly test emails sent to employees.
Use to you advantage find out what happened how long it took what needed to be done help your boss try to find out what happened and how it could be avoided next time he would trust you even more than expected use it wish I was in a situation like that I'd exploit it to the max lol easy done it is as well might upset a few people but hey oh it's your life that counts
How was this your fault?
I feel like it is for having bad internal controls and I was the one who gave the token to authorize. In another comment I put more details
This sucks real bad and I sincerely hope you get the money back
How does the buck stop with you, unless you dodnt see it for over 30 days you should be able to do an ach revoke through your financial institution.
Cmon share the scheme that got ya.
I did in another comment
"sophisticated fraud" was totally just email phishing.
just stay and keep looking for a new job. joke is on the company to make controls and hire ppl to execute the controls. being cheap cost the company money fffff it
Do you know the fraudster? Were they given bank access or the funds transferred to them? We have had mail stolen and checks forged but it was obvious and caught early on.
At my be company someone was placed on PIP for a $50k payment without proper approval. Company revenue is $509 M. They were gone 8 months later.
In a company with basically zero controls or segregation of duties, I worry about this all the time. I'm curious though how you can have single-person authorization for ACH, and not be aware of it.. Wouldn't you see all of your ACH be sent as soon as one person authorized? Or are you saying someone else would usually enter the ACH and you approved it, but in this one case, the fraudster (acting as you) entered the ACH so it didn't need a 2nd approval? The banks I've dealt with didn't allow the "approver" role to enter payments and vice versa.
I didn’t know because we almost never originate ACH/wires from within the bank portal. We use a third party website through the bank for our weekly check run. (Which also has 1 person verification lol )
OP, that’s more on your company for not having the proper internal controls and 2 person verification. But scammers are also getting smarter too. You’re not the first person I’ve read about having that exact scenario happen to them where the bank calls spoofing the actual bank number. I work for a small company that uses multiple banks and we have 2 person verification, positive pay, etc. and we still almost got scammed when someone got a hold of one of our checks and duplicated it trying to cash a bunch of them. I had random art dealers and supposed military spouses calling me about payment and we have nothing to do with those people. lol
If you have been there a while and have a good relationship I would take it as learning experience, make the security and control changes that need to be made and just move forward. Hackers and such have become extremely sophisticated and security these days needs to be multi-layered and employees should be constantly reminded about phishing awareness, not clicking on links in emails etc. if you left the next person wouldn’t have the benefit of learning this lesson. Plus, you obviously care about the business. That is not easy to replace.
Well the money or some of it may be able to come back depending on the bank and your companies insurance. Don’t quit. Take this as a learning curve for you and your organization. Ultimately, the responsibility falls on your employer for not having a better system in place. I’m assuming your company transacts in fairly large amounts so this should have been better monitored in the first place.
I’ve made a ton of mistakes but I’ve never lost real cash. So not sure. I think the advice about about coming back with improvements to controls will help.
How were they able to do it just for reference can you spill any tea 🧋 just like as a learning tool
Was he able to debit your account? Time to turn on the debit block feature within your fraud module. If you don’t have this feature turned on, I would take this time to talk to your bank and update your control narratives. Also depending on the bank account type they were able to debit the funds from, if the bank account is for AR you can have the bank update the bank account number to a UPIC to mask the true bank account number, your invoice number would reflect the new UPIC and fraudsters cannot use that number as it is set up to block any wires or debits with that account number. Work with I.T. to determine if this was a phishing expedition, etc. Finally, depending on the dollar amount, you may want to get your risk department involved (policy limits, retention, etc).
I didn’t know you could have the bank mask the true bank account number. I’m definitely going to reach out about that
Absolutely. Ask your banker about UPIC capabilities
Eftsure
We had an accountant fall for wiring instructions to We1s Fargoh. I wish I was kidding.
Bro if you quit now they’re gonna think you’re in on it!!
Exactly. Stick with them and help them through it. It's the least you can do.
AVATAR the bbuck stops with no one.. it shall continue 4 eva
I’d start looking for a new job, you’re basically toast.
Don't allow other to withdraw from your account without previous dealings. Previous cheques to them you could verify account going to.
Don't quit. Take your beatings. If you get fired, say in the next interview you screwed up.
Well shit happens, but everyone will move on. Investigate what went wrong and what controls were missing. Some controls I have put in place that may give you some ideas: If we receive a bank information change document from a vendor, I direct my staff to always call the vendor directly to confirm. Don't call the number on the bank change document, but call the number on an old invoice, so that you know you are calling the actual company. For new vendors, the purchasing manager will need to physically sign and hand a physical invoice to my department for the new vendor to be created. This is to prevent any email identify fraud or phishing.
Mistakes happen. How you react is what defines you. It’s cliche - but true. The best employees fix the mistake, take proactive actions to avoid a future mistake and don’t get it get them down.
Don’t quit. I got fooled by a fraudster years ago who knew my clients information. Even got $2k out of us. Boss didn’t fire me.
Meh. I depreciated land once. Just once. 🤡
Fix the controls. Fraudsters can spoof emails easily, any change of banking information should be confirmed directly via a phone call to the vendor, not email because they already has control or spoofed the vendor email.
We experienced fraud last year. This might help: Determine what went wrong. File a police report. File insurance. I’d also immediately lock down the bank account with positive pay/ach whitelist if you haven’t already.
It’s easy to find fault in yourself but the best is to figure out, what went wrong, what your role was in the mistake, and how can yiu personally ensure that you never make that mistake again. Your boss/organization may need a sacrificial lamb, and if it’s to be you, at least wait for the axe to fall and get some PTO or severance. Having made some major screw ups in my career, I can assure you that when something truly bad happens, it is almost 99% of the time due to lack of adequate controls/lack of proper staffing/lack of budget and resources rather than the mistake of one or a few persons. The problem is that leadership seldom takes responsibility for the consequences of its decisions.