Have you read the recent news on how Bol.com deposited almost 750 000 euros into a fraudulent bank account over a year ago? Simply, they thought they were making a payment to Brabantia, a household goods manufacturer.
If you are not familiar with the story, here is it in a nutshell:
At the same time, Brabantia did not receive the payment, so obviously, they took a lawsuit to the court. And that was the point when the court discovered that Bol fell for a financial scam.
It all started with a legit-looking email like usually
In November 2019, Bol received an email in poorly written Dutch. Nevertheless, the email looked legit like it has been sent from Brabantia including the company’s logo. They were asking Bol.com to transfer the outstanding payment to an account in Spain.
The Bol employees fell for the trick. No surprises there, as these emails can be very well-crafted and if you have never seen one before, you could become a victim too.
The court thought the scam email was obvious and easy to recognize
Bol tried to get out of paying Brabantia claiming that the company’s employee fell for a business email compromise, and they were accused that they did not use two-factor authentication in the Microsoft 0365 environment. The story doesn't tell if the email was really sent from Barbantia using a stolen username and password but hopefully, it still makes you want to protect your accounts with multi-factor authentication (MFA).
Despite this, the court ruled in the favor of Brabantia and ordered Bol to pay the outstanding payment. The reasons for it were the following:
- The court believed the email was clearly a phishing email due to grammar errors. Previously, all communication between the two companies happened in Dutch, while the scam email was written in mixed Dutch and English.
- The court thought that Bol should have been suspicious about the odd request to transfer money to a Spanish bank.
How to avoid something like this happening to you?
There are a few tips that you should always remember.
Always be suspicious
Always be suspicious, especially, when you are handling large payments. If you have the slightest doubt about the legitimacy of the request, something is probably wrong.
Never accept a payment alone
In this case, always ask for help! Never send out payment before at least you had a second pair of eyes looking at it. In most companies, that’s an everyday process.
If you are in doubt, ask for help
Still, if there is even one person that is a tiny bit unsure, don’t process the payment. Ask for more help within your treasury or financial department, procurement, or even from your cybersecurity department.
Your cybersecurity team will be able to tell with high likelihood whether the email is real or not.
Use a payment hub
Payment hubs come with features that enhance the security of processing payments.
Consider using the following:
- Workflows to manage authorization of different payment flows
- Approval limits for different payment types
- Templates to limit and control releasing of manual payments
Strict processes to update supplier master data
Supplier master data should be correct in the ERP system. It should only be managed by procurement who has strict processes in place to validate the possible changes before updating master data. Always execute payments according to registered beneficiary bank account details.
Don’t skip the cybersecurity and phishing training
While you may think it’s easy to spot phishing emails, it’s not. Especially when we are talking about financial scams.
Spear phishing is a growing business and it’s expected to grow to 1,4 billion US dollars by 2022. Scammers can work even two weeks on crafting an exceptional financial scam to lure in financial professionals to make a large payment.
Good phishing training should be targeted for your expertise and prepare you through challenging exercises to spot potential scams. It’s always better to report an email to your security team and ask for their opinion than make a payment and regret it later.
Care about security
Security is a bigger part of treasury operations than you would think. Make sure that you care about security. Things like using a strong password, updating the password frequently, using multi-factor authentication, or not sharing user rights matter and can do a lot.
When you care about security, you also show a good example to the rest of the team.
Trust your instinct and the learnings of this story and the security training
Always rather take longer to process the payment than pay a scammer! Creating good and strict payment processes and workflows can help with this. Also, trust your own and co-workers' instinct if you feel like something is off.
Stay curious about financial scam news to know what the latest trends are and how hackers will try to trick you. Work closely with your security department! It’s in everyone’s best interest to avoid falling victim to a scam.
It’s not a question of whether you will receive financial scams and phishing emails, but when you will get them. Be prepared that you will be targeted and face the situation with confidence to avoid making a payment.