You would think that South Korea’s largest petrochemical company, LG Chem, has a smooth-running accounts payable process in place, and it may very well have one. After all, it’s a US$24-billion-a-year-in-revenue conglomerate that is ranked No. 13 in the list of the world’s biggest chemical groups in sales.
But in a reminder that fraudsters can con even the world’s giant enterprises, LG Chem made a US$21-million wire payment in April to the bank account of a party claiming to be Saudi Aramco Products Trading – but wasn’t. “We have requested an investigation by prosecutors,” a spokesman for LG Chem said.
It is unclear whether the change in the bank account after so many years raised a red flag with LG Chem finance staff or if they confirmed the veracity of the email with Saudi Aramco before wiring the payment
Such fraudulent emails seem to be getting common in Asia. Last year, says the CFO of a global commodities trader in Singapore, “I saw some three to four instances of emails with my CEO signature asking to remit money to some other accounts. Fortunately we did not remit, because there were some doubts.”
“You receive invoices in very nice emails from something like ‘Exxonmobile.com,’” says Felix Wang, General Manager for Finance and Administration at Japan’s Itochu Plastics in Singapore. The ‘e’ at the end of the email address should raise a red flag (the company name is ExxonMobil), but the discrepancy could be very easily overlooked.
If the invoice date is not the same as the due date, “we automatically suspect that something is wrong,” Wang continues. “The most dangerous times are when [the invoice date and the due date] just happen to coincide.”
The two finance leaders were participants in a CFO Innovation roundtable discussion earlier this year, where other finance executives echoed their experience. But no one at the roundtable said that their AP team was deceived – unlike LG Chem.
According to the Korean company, it received an email from a long-standing supplier, Saudi Aramco Products Trading, a unit of the Saudi national oil company, informing LG Chem of a bank account change. The email contained the correct particulars around a shipment of naptha in the second half of March, including the amount due (24 billion won).
It is unclear whether the change in the bank account after so many years raised a red flag with LG Chem finance staff or if they confirmed the veracity of the email with Saudi Aramco before wiring the payment. What is known is that the payment was made to the new account, which was later discovered to be not owned by the supplier.
Interestingly, Saudi Aramco Products Trading itself had been a target of a similar scam last year. In October, the Saudi national oil company disclosed that the trading unit received a fraudulent invoice for US$30 million from Indian state-run company Oil and Natural Gas Corp., which had supplied it with naptha.
“The attempted fraud has been foiled and did not have any financial impact on either the two companies or on trading relations between them,” Saudi Aramco said in a brief statement, apparently in response to media claims in India that the trading company had been duped into actually making a payment.
Duty of care
For LG Chem, the 2015 incident raises the possibility that Saudi Aramco Products Trading’s email system may have been compromised. If this is proved true, the company has indicated that it may consider legal action against the naptha supplier – presumably on the ground that the lack of duty of care enabled the fraudster to make the fake email seem credible.
This possibility raises the stakes both for companies that receive fraudulent invoices and the suppliers that purportedly sent them. Most companies that receive scam invoices via email probably just bin them. The company whose name was used to send the fake invoice may not care either. But reporting the suspicious email to the authorities and the company that supposedly sent it demonstrates duty of care – and potentially a legal defense in a lawsuit.
Forewarned is forearmed, so educating the Accounts Payable team on how to recognize red flags and what to do with suspicious email should be a regular exercise
One organization that takes the issue very seriously is IATA, the International Air Transport Association. It has issued a 19-page document, “Warning: Fraudulent Emails,” that it urges users of IATA products and services to disseminate far and wide. IATA asks its partners to report suspicious or potentially fraudulent email purportedly from it to a dedicated IATA email account, [email protected]
“We recommend that you also contact your local law enforcement authority immediately,” says the organization – Action Fraud UK, IC3 in the US and the Canadian Anti-Fraud Centre. In Asia, the enforcement agencies to contact include the Cyber Security and Technology Crime Bureau in Hong Kong, Suspicious Transaction Reporting Office of the Singapore Police Force, and the Malaysian Communications and Multimedia Commission.
Organizations may not report actual or attempted fraud because they are embarrassed to admit they were duped or because the email was binned and no harm was done. But forwarding the fraudulent email and attachments to police and other authorities can be done anonymously. More importantly, the larger the trove of information the authorities have, the higher the chances of catching the perpetrators – and the more useful the insights mined from the aggregated information.
Educating the AP team
Forewarned is forearmed, as the old chestnut goes, so educating the Accounts Payable team on how to recognize red flags and what to do with suspicious email should be a regular exercise. Some action steps:
Take extra care with email that contains new instructions. A potential red flag would be a request to remit payment to a new bank account, as with the LG Chem case. Or an alert about “an update in vendor account information,” with a request to reply to the email or call a number provided to get the update.
Train your AP team to never do that. To confirm the new instructions, tell them to use the contact details on file or in previous valid invoices. It is helpful to ask the supplier to fill in and sign a form for amending payment information.
IATA recommends implementing a check-and-countercheck policy on any request to change existing payee bank arrangements or to set up a new payee account, which will require approval by a senior officer to put into effect.
Do not be complacent. Some in finance may believe their company is too small for fraudsters to bother targeting or so large that scammers won’t even try. Wrong. “In truth, businesses around the world lose millions each year,” says IATA. “Many organizations aren’t even aware that they fallen victim to fraud.”
CFOs should be extra careful when there is high turnover or staffing changes in the AP team. Part-time or temporary processors have a higher risk of making mistakes. Complacency can also set in when the supplier is well known to the AP team and their invoices are given only cursory inspection, if at all.
Do not panic. “Often these fraudsters will use threatening language in order to get you to pay into their account as soon as possible,” notes IATA. Phrases such as “Urgent: overdue payment” and “legal action” are meant to stampede AP into making payment as soon as possible.
An inexperienced or new employee may make a knee-jerk response, particularly if the amount is small. Or AP may be overworked and decides to settle routine bills without verifying to get things out of the way. Not a good idea. Once successful, the fraudsters would refine their scam until something like LG Chem’s US$21-million loss happens.
Loopholes in system design and implementation and lax oversight can tempt insiders to participate in a scam. Even if no insiders are involved, an inadequate payables system could be vulnerable to email fraud
Educate the AP team on scamming methods. Tech-savvy fraudsters can make emails and invoices appear genuine, on the surface, but there are tell-tale signs to look out for. For example, the “From” line may contain the correct domain address, but the “mailto” portion in brackets may identify another domain (see below).
Don’t be fooled
IATA suggests circulating information about fraudulent emails received by anyone in the company. “The more people are made aware of fraudulent attacks, the less susceptible they are,” it says. The organization also advises blocking the sender across the company’s email system.
For the AP team, learning about the experience of other companies is also instructive. If the organization happens to deal with LG Chem and Saudi Aramco Products Trading, for example, they should be more alert when invoices come in from those two entities. Local enforcement agencies and industry groups have also set up websites that highlight cybercrime case studies, which could serve as training and early-warning resources for AP teams.
When insiders attack
What if it’s an inside job? That presents a far more complicated picture. AP may be more likely to make payment because the fraudulent email and invoice would appear to be really genuine, and the insiders may be able to subvert the system of checks and counterchecks. The amounts involved are likely to be significant too – there is no point for insiders to commit a crime for small change.
The first line of defense are systems and procedures to authorize purchases, pay invoices and review expenditures. Most, if not all, companies would have such a system in place, but loopholes in system design and implementation, and lax oversight, can tempt insiders to participate in a scam. Even if no insiders are involved, an inadequate payables system could be vulnerable to email and other fraud.
KK Tung, Sales Director for Lexmark Enterprise Software, says technology can help (he was also a participant in the CFO Innovation roundtable discussion).
“We have a lot of smart people in this world, and one way or another, they will try to cheat the system, especially when it is an inside job”
“Once you have built the business requirements and the business checks onto the system, you cannot get away from them,” he says. “Nobody can say, ‘Let’s skip this step,’ because it is incorporated into the business rules and flow. So if the steps are not done, no payment can go out. Technology can give you that kind of security and safety to make sure that fraud or risk is minimized.”
Tung concedes that there is no such thing as 100% security. “We have a lot of smart people in this world, and one way or another, they will try to cheat the system, especially when it is an inside job.”
But technology solutions could provide a comprehensive audit trail to let the company see who did what and when. “Whoever touches the system is captured in the system,” Tung says. “All this is already available in whatever solutions that you go after.” That may deter insiders from attempting fraud and prevent unsuspecting staff from paying fake invoices.
We don’t know, at this point, if LG Chem has an automated system – or exactly how the AP team was duped into paying the fraudulent invoice and whether insiders were involved. There will be more lessons for CFOs and the AP team when the details finally surface.
About the Author
Cesar Bacani is Editor-in-Chief of CFO Innovation.