March 20, 2020

In one single transaction, the City of Saskatoon was scammed out of $1.04 million of taxpayers’ money.

On August 15, 2019, it was revealed that the City of Saskatoon had fell victim to an online fraud scheme. A fraudster posing as the CFO of a local construction company, a regular supplier of the City, requested for a change in the company’s banking information. The City complied, and consequently the next contract payment of $1.04 million was transferred to the fraudster’s bank account.

Upon discovery of the scheme on August 12, 2019, the City contacted its internal auditors, the police and the banks in an attempt to recover the funds and to prevent any further attacks. However, there are no guarantees that the money lost will be recovered.

The actual construction company was not affected by this incident, and the amount owed to the construction company still needs to be paid by the City.

The City went public with this incident as a cautionary tale to warn other organizations about similar schemes.

As the Internet becomes increasingly prominent in the business world, cyber theftsi are also on the rise.

Many businesses have switched to the use of Electronic Funds Transfer (EFT) as a cost effective and efficient means to paying their suppliers and collecting money. However, without proper controls to address EFT specific risks, it can leave the business vulnerable to transfer scams, phishing attacks and other cybercrimes.

In the above anecdote, the City lacked appropriate internal controls and safeguards that could have protected the City against this type of cybercrime. To prevent this, the request to change account information should have been verified and approved by a supervisor and confirmed with the supplier before the change was made.

Fraudsters and scammers are becoming increasingly sophisticated. Proper controls and safeguards are necessary to protect your business against potential attacks.

Here are some other tips for protecting your business against cybercrime and fraud:

1. Enter information on secured websites ONLY. Fraudsters/scammers may impersonate a customer or supplier by sending or requesting payments through a link. This will often require you to enter your banking information to complete the transaction, giving the fraudsters/scammers your passwords and access to your accounts. To prevent this, ensure all account information is only entered on secured websites. This is usually indicated on most web browsers with a padlock.

2. Two-factor authentication. This involves the use of a security token. A security token is a small portable device used to authenticate a person identity when accessing sensitive information. This device is to be used in addition to your normal ID/password, creating an extra layer of security. For example, when logging into an online banking system, most banks require the user to enter a one-time password, generated by the token device, in addition the user’s ID and password.

3. Multi-user authorization. This would require two or more individuals in the EFT process. One individual would initiate/create the EFT, while another individual(s) approves it. As most organization requires two signatures to issue a cheque, it is best practice to have two authorizers approve the EFTs as well.

4. Segregation of duties. Ensure no one person can complete an entire EFT transaction by themselves. If an individual has the ability to modify accounting records and access to many aspects of the EFT process, it runs the risk of misappropriated funds and falsified accounting records. For example, an individual may set themselves up as a supplier and transfer payments to their own bank account, recording it as an inventory purchase. By segregating duties, it reduces the risk of misappropriated funds.

5. Compensating controls. For many small businesses, segregation of duties may be difficult due to staffing limitations. To compensate, regular review of transactions and random confirmation of transactions or balances should be performed.

6. Educate your staff. In order to prevent and protect against cyber theft and other online crime, it is essential that your staff is aware of these potential frauds/scams. Train your staff to be skeptical of any emails received from unfamiliar or suspicious senders, and how to respond when faced with a potential attack.

i Cyber theft – the act of using an internet to steal someone’s property or to interfere with someone’s use and enjoyment of property (source: https://definitions.uslegal.com)
ii Source: Finance & Accounting Policy Pro, Chapter 5.11 Electronic Funds Transfer
iii Zoe Chan is a Senior Staff Accountant with the firm and Jeff Westreich is an Accounting/Assurance Partner with the firm.

Written by Zoe Chan and Jeff Westreich

Jeff Westreich, Partner, Accounting and Assurance
jwestreich@kbllp.ca
905-475-2420 x326

Zoe Chan, Senior Staff Accountant, Accounting and Assurance
zchan@kbllp.ca
905-475-2420 x354