Travelers v. Baptist Health System
Fraudulent transactions continue to plague businesses. Make sure you have sufficient internal controls over invoice payments to make sure you can avoid the loss like the one suffered by one company who lost over $875,000 due to fraudulent invoices submitted by a scammer.
Your internal controls should include training against social engineering. Con artists attempt to gain information through apparently harmless telephone calls to employees, sometimes posing as another banker or as an equipment salesperson. They ask questions regarding the type of printers and copiers utilized by the institution, who is in charge of ordering supplies, and what procedures are followed. With this information, they can easily prepare fake invoices which are submitted for payment. The invoices appear to be legitimate because they contain information that an insider is unlikely to know. Now would be a good time to review your invoice payment procedures, training schedule and insurance policies.
Match all invoices to orders;
Centralize your purchasing function and have the purchasing person/department approve all invoices before payment;
Don't utilize something simple like an "OK to pay" stamp or other method that could easily be duplicated;
Alert your employees to the fact that a caller may attempt to social engineer them into divulging information about the type of equipment your institution uses in order to later dummy-up invoices. A common ploy is for the scammer to call, pretending to be selling copiers, for example. They'll say, "Are you happy with your current copier? Are you thinking about making a change in the near future?" Typically, the person will say they're happy with the existing equipment. The "salesman" will then say, "I'm just curious. Would you mind telling me the make and model you currently use?" They will then politely thank the bank employee for their time and promise to call again in the future. A call like that barely registers as a blip on the banker radar because it seems so innocuous, but the whole purpose is to gain vital information that will aid the con artist in making legitimate-looking invoices that will be paid without question.
In this case, the fact that the claim was not covered by insurance means the company bore the entire loss - nearly a million dollars!
The case involved a heath care provider and an insurance company. The vendor learned that the company's invoice payment procedures involved the payment of all invoices marked "ok to pay". Instead of submitting invoices to the appropriate department for approval, the vendor marked them "ok to pay" and delivered them directly to the accounting department of the health care provider for payment. When the fraud was discovered, the company filed a claim with its insurer, but the claim was refused. The Fifth Circuit U.S. Court of Appeals held that the provisions of the insurance contract only covered forgeries or alterations of certain instruments and did not include invoices.