Keeping clients' computers safe and profitable for over 30 years | |||
Home Forms About Current Newsletter subscribe Search All Articles
Browse by Category
|
Emailing Instructions for Check WritingPreview:Many organizations have a President or other manager email a bookkeeper to write a check to someone. This is no longer a safe practice. Miscreants are sending bookkeepers emails and attached invoices that seem real. What is the proper policy? One of my clients volunteers as treasurer for a non-profit organization. She recently received an email from the President telling her to write a check to a lawyer in Texas. She did. Ends up, it wasn't from the President. This small but national charitable organization didn't have a policy for writing checks. The President would simply email the treasurer to write the check and the treasurer would do it. It was nearly $4,000 that was cashed before a problem was discovered.
We are used to the normal email scams (phishing attacks), we get all the time. These are mass email scams. But this kind of attack is called a spear phishing attack. The criminal researches the organization and tailors an attack directly at that organization. This was the domain of larger companies, but clearly, it has worked its way down to much smaller organizations. My guess is that competent criminals on the dark web have a database of organization size, CEO or President, and Treasurer or CFO. They will sell a thousand organizations for a few hundred dollars. They may even include an option to send out the emails. All the buyer has to do is write the email, provide the address for sending the checks and then collect the money that comes in. Of course they are taking the major risk.
This is called phishing as a service. I wrote about it in November 2022. The result of this economic breakthrough is that we will be inundated with more, better and sneakier phishing attacks and must be extremely vigilant.
There Must Be a Check Writing PolicyEmail accounts are too easily hijacked. Websites often contain the names and addresses of presidents and treasurers and even activities they are planning. It is easy enough for a miscreant to write an email apparently from the President to write a check for something that sounds entirely legitimate. Also, the attached invoice could easily contain malware which could take over the treasurer's or bookkeeper's computer. The email account of the President (or CEO or other official) could even send the email if it was hacked. Simply because it comes from the President's account, doesn't mean it is legitimate.This is an issue for any company where people are sending emails to someone who can write checks. If you have a bookkeeper or accountant who is an employee, volunteer, working for the company or not, you are at risk and so is the person writing the check.
A Policy Recommendation Take this policy as a starting point and adapt it to your needs. |
||
|