In recent technology news, Lithuanian Evaldas Rimasauskas and his co-conspirators created fairly convincing forgery emails using fake email accounts from a company called Quanta in Taiwan—a company Facebook and Google regularly conducted business with—and sent them to employees at Facebook and Google who responded by paying out more than $100 million to the fake company's bank accounts, prosecutors said.1
Shocking, right? If you are a finance leader that learned of this scam you probably cringed. “How could that have been so easy?” you are likely asking yourself and your AP team. And, “How exposed are we to such a scam?”
In a recent Yooz blog , we talked about how our platform can handle processing invoices in foreign currencies. Since this recent news involved companies from various countries, we thought it would be an exciting opportunity for us to show that with Yooz it would be almost impossible for your company to be scammed like this. Thanks to the Yooz cloud-based end-to-end system that automates your AP workflow, even if a fake invoice came through in an e-mail—whether it’s from a real or fake account—our system’s validation steps would notice!
Here is how it works:
- Each Yooz client application has one or multiple AP e-mail(s), which is like a global e-mail where vendors send their invoices to be paid. These e-mails have a unique login assigned by the AP department or finance administrators.
- The technology auto-forwards the e-mails into the Yooz system to be coded.
- If a fake invoice is imported into the Yooz system, it will enter in the workflow which involves multiple approval steps, including matching it to a real P.O.
So first the pirates need to have this unique AP email, which unlike the regular emails of the employees, is really complicated to try and get if you are not an employee of the company. The scam usually stops there. If the fake invoice actually makes its way into the approval process, the likelihood it of it being caught by one of the approvers is really strong.
Lithuanian Evaldas Rimasauskas' work also involved "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents" of the companies he was impersonating and fleecing, prosecutors said in a statement.”1
In some scenarios, the pirate will create an invoice from a fake company, or vendor. In each Yooz application, the system has a list of vendors registered by the client, a known list of true vendors. So, the system will not recognize a fake vendor and alert the user.
But in the case of Rimasauskas, he was actually impersonating a real vendor, rather than creating a fake vendor. What then? The same series of checks and balances built into the Yooz workflow applies to identifying fake invoices from “real” vendors. In our complete purchase-to-pay (P2P) workflow approval process, the purchase order is imported from the ERP and matches the P.O. to the invoice. The fake invoice will not have a P.O. to match against, alerting the user.
In short, you can sleep at night. We’ve got you covered!