As higher education institutions experienced rapid workplace changes during COVID-19, instances of fraud also increased. Remind employees not to circumvent controls and processes that protect them and the institution.
Key insights
- With an increased number of employees working remotely during the pandemic, external fraudsters have come up with new scams that are hurting higher education institutions.
- The remote environment can also lend itself to internal fraud without proper controls in place.
- Higher education institutions must be more vigilant to prevent fraud.
Need to speak with a professional?
In late April 2020 the campus is quiet. A pandemic has stricken the country, and people are ordered to stay at home. Instruction moves online and most administrative staff work remotely. The accounts payable (AP) department is considered “essential,” and staff rotate working on campus to pay the university’s costs on time and maintain campus operations.
One day, an AP specialist receives a call from the construction company building a new academic center on campus. Someone claiming to be in the receivables department asks to update the ACH payment information. The AP specialist is familiar with this vendor — he has worked with them in the past and has seen the company’s flyers on the construction site.
Per university policy, the AP specialist calls the vendor to confirm the change is legitimate, but learns everyone is working remotely and no one is in the office to take the call. Given the AP specialist’s “can-do” mindset and understanding that his role is critical in keeping the university operating, he moves forward with the ACH change. A few days later, the university processes a multimillion-dollar payment using the new ACH information.
Weeks later, the construction company emails the AP department informing the university its payment is late. The AP department is confused, since they show the payment was made. Upon further investigation, they determine the person requesting the ACH change was not the construction company’s employee. The university sent the payment to a fraudulent bank account. By the time the fraud was discovered, the funds had already been moved to an account overseas. The university was the victim of an increasingly common form of fraud.
External fraud risks in the COVID-19 environment
Unfortunately, many institutions have reported similar fraud attempts since the pandemic hit. Other AP departments report receiving vendor ACH change requests via email. In these scenarios, the requestor’s email domain appears similar, but not identical, to the actual vendor’s email domain. Employees did not recognize the fraudulent email and changed the vendor ACH information.
Fraudsters look for vulnerabilities to exploit. They realize the pandemic may have weakened controls at institutions.
In addition, with modern technologies and enhanced data-mining capabilities, the amount of information available for fraudsters is at an all-time high. From simply calling and impersonating a vendor to fabricating email domains, the possibilities are limitless. Those in AP, payroll, and other risk-prone functions must maintain the utmost vigilance and dedication to safekeeping their institution’s funds and confidential information, even when working remotely.
Safeguard against vendor fraud risks
Consider these methods to create stronger controls and help mitigate potential fraud attempts.
- Require a dual, independent verification before changing vendor banking information. Document that the independent verification step was performed and build this requirement in the information technology system. The system should automatically prevent change to vendor information without independent verification approval.
- Develop a reporting feature that details payments to be issued that are over a certain dollar threshold and will be going to a new ACH/payment routing number. Someone other than the employee responsible for changing vendor information should review and approve this report.
- Segregate duties between issuing payments and changing vendor information.
- Collect and maintain up-to-date vendor information. Remove vendors from the vendor master file that have not been used in a period of time, such as one year.
- Train employees regularly, especially those in accounts payable and payroll. Such training should include awareness about social engineering and other cybersecurity threats.
While many of these controls are not new, urge your employees to be ever-diligent in adhering to controls and procedures, despite the change in remote working environments created by the pandemic.
Internal fraud risks in the COVID-19 environment
Although external vendor fraud is an increasingly common threat, internal fraud within the accounts payable department remains a looming risk as well. Furloughs, pay reductions, and other factors due to the pandemic could incentivize employees to commit fraud.
Consider an institution where employees in the accounts payable department issue payments and change vendor banking information. In this instance, an internal fraudster could pay a legitimate invoice from an approved vendor to their personal bank account. Or, an employee may manipulate an invoice to pay themselves what appears to be a legitimate invoice to an approved vendor.
Implement controls and tools to help prevent internal fraud:
- Segregate duties between approving charges, vendor file maintenance, and processing payments.
- Consider implementing data-analytical procedures over expense information to identify outliers or trends that could indicate fraud.
- Develop a reporting feature that details changes to vendor information. Have someone other than the employee responsible for changing vendor information review and approve this. This report could flag frequent changes to vendor information. This could help identify when an employee fraudulently changes vendor payment information, then switches the banking information back to its original account numbers to avoid detection.
- Maintain the vendor master file. In a poorly maintained file, a fraudster may feel empowered to change existing, unmonitored vendor information and potentially issue payments directly to themselves. In addition, if there are duplicate vendors, a fraudster may change the banking information or address of only one vendor and issue legitimate payments to the compromised record. A good control is to update the master file regularly to remove duplicates and stale vendors and update contact information.
- Train employees regularly and teach them how to report suspected fraud.
All controls, no matter how well designed, will be ineffective if employees are not educated and properly trained to identify unusual requests. Empower them to practice adequate skepticism in response to potential fraud attempts.
How we can help
We have seen the rise of vendor fraud at higher education institutions and have worked with institutions across the country to help design procedures and processes to prevent and detect fraud. At CLA, we offer several risk assessment tools, including.
- Computer penetration testing
- Risk assessments
- Internal control assessments
- Finance department assessments
- Vendor file risk analysis
- Employee fraud prevention training
Please reach out to our higher education professionals for more information.