Today’s topic: The 5 Ps of payment security.
I was reading The Times this morning, where I came across an article about the risks of financial jeopardy to businesses following payment scams. We covered this issue a few years back, but people are still falling victim to it, so it is worth a quick run around over the key points. In essence, the article covered businesses that had lost some or all of their working capital to a financial scam and were struggling to rectify it due to the more stringent requirements of banks in the current economic climate. So, just so we have the main bases covered, here goes:
Never trust email.
It is not as secure as you think, and even if the email comes from a source that you know, you have yet to learn if their email has somehow been compromised. This is a surprisingly regular occurrence. If someone requests something out of character (or even if it’s in character, but acting could jeopardise the business if it turned out to be a scam), lift the phone, call the person on a known number and wish them a happy Christmas. Then, slip into the conversation a confirmation of the requested action. If it’s January and the Happy Christmas excuse doesn’t work, use it as an excuse to have a quick catch–up.
Don’t trust post either.
We have seen an increase in people falling back to letters at times, and most assume that because something arrives on headed paper, it must be legit. Unfortunately, it is so easy to create headed paper using web images. You cannot rely on that. Follow the same process, no matter how red the ink on the letter is. It’s easy to assume all security is digital security, but you need to ensure that these older methods don’t get a bye–ball, including fax. It shouldn’t get a pass because it was the only one you received in the last 12 months.
Resist, resist, and resist any injection of urgency as best you can.
There is no better indicator of a scam than some artificial sense of urgency. Get a process that takes a reasonable amount of time that an ordinary reasonable individual would be happy with, and make sure everything goes through that process, no matter what. The urgent payment is the bane of your payment security. Suppose you routinely find yourself approving emergency payments. In that case, you need to address the issue with the people or processes causing that emergency culture and stress the need for a proper procedure. This is harder than it should be, given specific industries are still dealing with supply issues, but to the extent that you can, impress the purchasing team that this is a genuine issue and emergency payments need to be reduced to a bare minimum.
What might a process look like?
This is quite simple in most cases.
Independently verify. If the supplier has asked for a change of details, lift the phone and call someone already known at the company on a known number and verify that their bank details have changed.
If this is a new supplier (more common now due to supply issues), look them up on the internet (not using any links sent in their email), call their front desk and ask to be put through to accounts as you have a query. Ask the person in accounts to confirm the bank account. If they have any issues giving their bank details to some randomer over the phone, you could email your new friend a copy of your request so they can verify it.
Have a form or process where you can record who you spoke to and when so that it’s more likely to be completed. Use Microsoft Forms in your Teams application, although any written process will suffice.
This is not a guarantee, but it will catch most payment issues. One story I read described the heartfelt shame and terror felt by one woman as she realised that the business was likely to close and 50 people could lose their jobs. So make sure you have your process in place.