Although the holiday season brings plenty of joy to people around the world, it is also a peak time for opportunistic cybercriminals. With the usual increase in transaction volume, temporary staffing, and employees distracted by personal holiday plans, the back office becomes vulnerable to scams directed toward seizing funds or sensitive data. While it may feel like your organization isn’t at risk, your financial back office is a prime target. To protect your organization and fortify your finances, it is important to stay informed.
The Top Holiday Scams Targeting the Back Office
Scammers leverage the chaos and urgency of the season. Knowing the tactics and seeing examples are the easiest ways to identify scams when they are used against you.
1. Business Email Compromise and Invoice Fraud
- The Scam: This is the most financially damaging. A hacker compromises a high-level executive’s email or spoofs the address. They then send an urgent request to the Accounts Payable team, often late in the day, demanding an immediate wire transfer to a “new vendor” or for a “confidential acquisition.” Alternatively, they submit fraudulent invoices for goods or services never rendered, exploiting the rush to process year-end payments.
- Why it works: AP staff are under pressure to clear all outstanding invoices before the end of the fiscal year or holiday break, leading them to bypass standard verification protocols. Although it’s been a common tactic to spoof email addresses, the extra urgency during the holiday season can make the small details denoting a scam easy to miss.
2. Phishing and Vishing (Voice Phishing) Attacks
- The Scam: These attacks may use festive lures like fake holiday party invitations, “urgent” shipping notifications, or bogus year-end bonus details. These are to trick employees into clicking on malicious links or downloading infected attachments. Vishing involves a scammer calling, impersonating IT support or a supplier, and demanding credentials or remote access to fix an “urgent system issue.”
- Why it works: Emails that are personal or related to specific suppliers are more likely to be opened. Employees are also more susceptible to social engineering, especially when calls involve technical “emergencies” that need immediate attention.
3. Payroll Diversion Fraud
- The Scam: The finance team receives an email, purportedly from an employee, requesting to update their direct deposit information. If that information is changed, the criminal controls the fraudulent account.
- Why it works now: Temporary staff onboarding or a focus on processing holiday bonuses creates an environment where changes to bank details might seem normal and are processed without rigorous cross-verification.
Three Pillars of Back Office Protection
Once familiar with the tactics, it is crucial to implement controls to ensure security is maintained throughout the holidays.
Enforce Strict Payment Verification Protocols
The single most effective defense against invoice fraud is a strict segregation of duties and dual control for all financial transactions.
- Mandate Dual Authorization: All wire transfers, ACH payments, or changes to vendor or employee banking information over a set threshold must require approval from at least two different employees. It is also crucial that one of those employees isn’t the requester of the change.
- Implement “Out-of-Band” Verification: Before any payment is made to a new bank account or a change is processed, the AP team must verify the request using a method other than replying to the email. This means calling or otherwise contacting the known, verified phone number of the executive or vendor.
- Freeze Bank Detail Changes: For the holiday period (e.g., December 15th – January 5th), consider imposing a moratorium on changes to employee and existing vendor bank details unless verified in person or via a recorded video call.
Enhance Employee Awareness and Training
Your employees are your first and strongest firewall. Ensure they recognize the red flags of urgency and deception through additional training.
- Conduct Phishing Drills: Run a targeted phishing simulation just before the holiday period, using common holiday lures. Use the results for immediate, focused training.
- Train on Social Engineering Cues: Teach staff to recognize the language of urgency and coercion. For example, “Do this now before the CFO leaves,” “This is confidential—don’t tell anyone,” or “The system is about to crash.”
- Reinforce the Call-Back Policy: Every finance staff member must know: If the email involves money or a password, you must verify the request by phone.
Strengthen System Security and Access Controls
Ensure your core financial systems protect against unauthorized access and malware.
- Require Multi-Factor Authentication: This is non-negotiable for all access to financial platforms, payment portals, and even corporate email. MFA stops most account takeover attacks.
- Review and Revoke Access: Before the holidays, perform a full audit of user access. Immediately revoke access for any departing employees or temporary staff whose assignments have ended. There is a high risk of credentials being compromised after a departure. Use the principle of least privilege to ensure that only those who need access to higher clearance items have it.
- Patch and Update: Ensure all operating systems, accounting software, and anti-malware programs are fully patched and up-to-date. This builds a better defense against the latest exploits.
Protect Your Organization
Through strict controls and training, your back office can navigate the holiday season securely, ensuring a happy new year for the company’s bottom line. What steps is your company taking to secure the back office this holiday season? To learn more about how ICG’s solutions protect businesses from fraud, request a demo.