Johannesburg - Many South African companies have been hit by electronic funds transfer (EFT) fraud in recent months and while banks are often blamed, the companies themselves enable corrupt employees to commit the crime with amazing ease.
EFT fraud is the illegal transferring of funds from one bank account to another.
Steven Powell, Head of the Forensics Division at Edward Nathan Sonnenbergs (ENS) says ETF fraud is one of the greatest risks faced in South Africa today.
So, how does EFT fraud generally happen with such apparent ease?
Most times it occurs when a corrupt employee is responsible for loading payment details onto the banking payment system and, instead of adding the correct details, they add alternative banking details resulting in the money being paid into an incorrect account.
With electronic banking, the name of the account or person is not relevant, as the banking system focuses on the actual bank account number and branch details.
This means that a corrupt employee could keep the correct supplier's name, ensuring that no one picks up on a different supplier name, but change the bank account details and pay themselves instead.
Corrupt employees receive an invoice via email which they then alter by erasing the correct account details and replacing them with their own, Powell says.
"They then rescan the document and forward this to the accounts department who are none the wiser."
"With technology helping to speed up processes in the office, it is easier to simply email invoices and, while this makes sense in an ideal world, it makes it even more imperative that companies have stricter security systems in place to ensure that no details are altered. Payments should also require sign off from an employee who is on a senior enough level."
A general rule within companies should be that should any supplier or client change their banking details, an original letterhead should be sent to their senior accounts employee who can verify this with the supplier or client and then make the necessary change.
No changes should be accepted or implemented if only an electronic notification is received.
Database clean-up
Companies should also mandate internal audits, in conjunction with their IT department, to audit any changes made to the banking system. "This should happen at least once a quarter," Powell says.
IT software service providers should be consulted to ensure that there is a clear audit trail identifying users who have implemented those changes. The amendments must then be verified with the service provider and bank in question.
Banks are often reluctant to disclose account holder information; however, wherever bank account details have been altered, companies should insist on confirmation that the name of the account holder on their system matches the bank account number.
An additional control measure is a clean up of the vendor database.
All duplicated vendors should be removed from the system as duplicates are often manipulated for fraudulent purposes.
"However," Powell says, "before removing duplicate vendors, stringent checks should be performed on them to ensure that there is no link to staff members and that no previous fraud has taken place."
Password abuse
"Our experience has shown that password abuse amongst finance officials in the finance team is often alarming," explains Powell.
Typically, access to payment systems is restricted to staff in the finance department and EFT payment clerks are usually authorised to capture payments to suppliers who are registered as vendors on the company's system.
Then another official, typically an accountant in the finance section, will have the power to authorise the captured payments done by the clerk. Once the release takes place, the transaction is automatically uploaded into the banking institutions system and the payment process is then initiated.
A useful safety control to be considered here is to have a secondary authorisation required before any payment can be released.
"In our forensic investigations," Powell says, "we have found in the majority of cases under examination, that staff in the finance team shared their passwords with fellow team members. This means that any one of the two or three employees empowered to process transactions is able to transact while the other colleague is out of office."
This is a disturbing trend which renders the anti-fraud control null and void as there is no control over how many people are able to access funds.
"It is shockingly naïve for finance officials to allow this simply because the individuals in that section trust each other and do not want to incur the wrath of disgruntled service providers as a result of delayed payments.
The unauthorised sharing of passwords should therefore be a dismissible offence, he thinks.
- Fin24.com