How Could a Company Prevent Scams?

When a financial staff received an email or a SMS from the said GM or the Purchasing Manager, and the staff was urged to remit money to a designated account. Normally, the staff would arrange the payment as soon as possible, since the staff took it as an order. Later then, the company found it was a scam, for example, the said GM’s email address was slightly different from the right one; or the fraudster had stolen the Purchasing Manager’s mobile phone number, by which the fraudster sent the fraud SMS, and so on.

Such scams have two key characteristics, which are the scam might have some true information, and it is urgent. So, how could a company prevent such scams?

It is recommended to establish the prevention system and implement relevant measures from the following aspects:

First, the requirements on the approval of payment request and payment measures shall be stated in the financial policies. The key point is that no matter how urgent, all the payment requests shall be approved on site or by phone. The specific requirements are, (a) the policies shall state the measure and content of the approval, for example, the payment request shall state the phone number of the beneficiary unit, and etc.; and (b) the policies shall set different authority according to the amount, for example, when a financial staff receives the payment notification, regardless of email, SMS, WeChat and etc., if the amount is less than a specific amount, then the staff shall require the instructor to approve on site or by phone; if the amount is more than the specific amount but less than a higher specific amount, then the staff shall require the Finance Manager to approve on site or by phone; if the amount is more than the higher specific amount, then the staff shall require the Vice GM to approve on site or by phone.

Second, the network security shall be strengthened. The following measures could be taken into consideration: (a) the digital signature could be inserted into the email, and make sure the sender is the right person; (b) the payment could only be conducted by a specific computer in the finance department, and such computer could not be used for other purposes; and (c) the computers and smartphones which are used to conducted the payment, shall be reviewed by anti-virus software regularly.

Third, the employees’ sense of risk awareness shall be enhanced. Companies could arrange the risk control training with the real cases in practice regularly, by which the relevant employees could learn the skills to evaluate risks. In addition, all the policies are implemented by individuals, only when the employees have the sense of risk awareness, and the skills to evaluate risks, the function of such policies could be carried out; and the employees would have the sense and skills to keep and collect evidence, by which companies might claim for losses from the fraudster.