OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Emailing Instructions for Check Writing


Many organizations have a President or other manager email a bookkeeper to write a check to someone. This is no longer a safe practice. Miscreants are sending bookkeepers emails and attached invoices that seem real. What is the proper policy?

One of my clients volunteers as treasurer for a non-profit organization. She recently received an email from the President telling her to write a check to a lawyer in Texas. She did. Ends up, it wasn't from the President. This small but national charitable organization didn't have a policy for writing checks. The President would simply email the treasurer to write the check and the treasurer would do it. It was nearly $4,000 that was cashed before a problem was discovered.

We are used to the normal email scams (phishing attacks), we get all the time. These are mass email scams. But this kind of attack is called a spear phishing attack. The criminal researches the organization and tailors an attack directly at that organization. This was the domain of larger companies, but clearly, it has worked its way down to much smaller organizations. My guess is that competent criminals on the dark web have a database of organization size, CEO or President, and Treasurer or CFO. They will sell a thousand organizations for a few hundred dollars. They may even include an option to send out the emails. All the buyer has to do is write the email, provide the address for sending the checks and then collect the money that comes in. Of course they are taking the major risk.

This is called phishing as a service. I wrote about it in November 2022. The result of this economic breakthrough is that we will be inundated with more, better and sneakier phishing attacks and must be extremely vigilant.

There Must Be a Check Writing Policy

Email accounts are too easily hijacked. Websites often contain the names and addresses of presidents and treasurers and even activities they are planning. It is easy enough for a miscreant to write an email apparently from the President to write a check for something that sounds entirely legitimate. Also, the attached invoice could easily contain malware which could take over the treasurer's or bookkeeper's computer. The email account of the President (or CEO or other official) could even send the email if it was hacked. Simply because it comes from the President's account, doesn't mean it is legitimate.

This is an issue for any company where people are sending emails to someone who can write checks. If you have a bookkeeper or accountant who is an employee, volunteer, working for the company or not, you are at risk and so is the person writing the check.

A Policy Recommendation

Take this policy as a starting point and adapt it to your needs.

If the recipient of a check is not in our system and a normal vendor, then anyone emailing a request for payment will receive a phone call to authenticate the email request. Before that second confirmation is concluded, no email attachment (like an apparent invoice) will be opened and no check written.

You will notice that I recommend that the bookkeeper calls the President, not the other way around. This is a spear phishing attack where the perpetrator has investigated the organization. AI is getting very good at voice simulation. As little as a 3 second sample can allow a voice to be simulated. This tech will only get better. If the spear phisher can fake the email, they can also fake a phone call, and they do. There are many scams where people are called and request money for a friend on vacation or kidnapped or in jail. Soon, phone calls from voice simulations will accompany the email payment request. Only by having the bookkeeper call the known number can they be sure it probably isn't a scam. Simply receiving a voice call will become a potential problem, like clicking on an email link or opening an unknown attachment.

This should not only be a policy for every company, it should also be the policy for every accountant and bookkeeper writing checks for someone else. These phishing attacks are the most frequent attacks we are seeing and they are getting better at scamming people.

Further Reading

  • ArsTechnica article about Microsoft's AI voice simulation

Date: June 2023

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster