An ERP Horror Story

A chilling instance of security lapse

It is a regular weekday. The office is bustling with employees and the smell of coffee is in the air when the phone rings. It’s a vendor, a vendor long forgotten that hadn’t been used in sometime. They called to inform management that they received a check stub via email for a payment, yet they hadn’t made a payment and didn’t owe any money. (Uh – Oh) This was the beginning of the end for an instance of fraud that had since lasted for months. Why did this happen and how do you prevent taking a loss for your business?



“The Bandit” strikes again and again and again…..

It’s very common for large organizations to have an absence of human check signers. Once you get to a certain volume it just doesn’t make sense to have a human or the bank sign checks. Why? Because we have technology for that! A portion of this company’s ERP uses an electronic fund transfer file to fill out ACH’s.

The Bandit whomever he/she may be had intimate knowledge of this system. They used one of MANY shared passwords to access this system and change the bank account number that receives payment. They then submitted fraudulent invoices  to try and cover their tracks. They always made sure that the amount transferred was under $1,000 to keep them under the radar. Over the course of a few months “The Bandit” was able to get away with over $35,000 (maybe more). That is $35,000 gone all due to extremely laxed protocols and lack of focus on the importance of security.



Cleaning up the mess

Along with improper ERP management and the lack of due diligence by this particular company’s Managed Service Provider (MSP)  lead to their loss. When they came to us they were in full on reaction mode. And luckily CIS has the tools in place to put out their fire. We immediately locked down the process that allowed the money to fly out the door. We began with detective control. Anytime bank account information is changed the system sends an automated alert to an authority figure without access to alter that information to show that a change has been made. Then we implement a pass through service that allows the company a way to view their net profit on each transaction made to easily tell if the order number reconciles back with financial statements and shows all gaps. Giving a full view of money going out.



The prevention of future fraud

Now that the flames are tamed the next thing CIS does is what should have been done all along. Preventive security. We implement with all of our clients an “Acceptable Use Policy.” This policy decides who has access to what and when the access should be had. For example, if someone were to access the bank account information outside of the allowed hours, an alert is triggered. Additionally, each banking process has isolated access capabilities so that NO ONE person has access to change banking information as well invoice processing. This separation of duties makes it easier to identify gaps and prevent instances of fraud. This policy also ensures healthy password management such as:

  • No shared passwords
  • Password strength
  • Changing passwords regularly

This is such a small thing that has a massive impact on security. No stone should be unturned when it comes to the safety of your company’s data and network.



The conclusion

Many mis-steps were discovered after we dove deep into this organization’s processes and procedures, which could have been curtailed by their last MSP. They were missing these key security measures that every larger business should have:

  • Managed SOC
  • Endpoint detection and response
  • Password Management
  • Office 365 Security

Whether this perpetrator was in-house or a hacker from abroad the money’s gone and it’s not coming back. The FBI is involved and “The Bandit” will likely be caught but the loss damage has been done. A hit like that can cripple most businesses, often times causing them to close their doors for good. The only real way to prevent a bad actor from lurking in the depths of your network is to use preventative security measures.

Custom Information Services has been in business for 30+ years and our reputation precedes us. Don’t wait until it’s too late to adopt the proactive vs reactive mindset. Get a free 30 minute Gap Analysis today. This will pinpoint your weaknesses and highlight your strengths, so you can make sure you aren’t a victim of your own “Bandit”

Published On: September 14, 2022Categories: Cybersecurity, ERP Solutions, Managed IT Services