I wanted to draw your attention to two fraud related matters that occurred recently. I’d ask that you share this information with your teams and the hotels in your region, and ask that any suspected fraud be reported to Shawn, Matthias or myself immediately.
MERCHANT SERVICES
It appears that a user’s credentials were used to access the Merchant Services software and process a series of manual credit card refunds. Each transaction was below the anti-money laundering threshold for reporting ($10,000). The transactions were processed on the weekend and were identified on Monday by the accountant performing the credit card reconciliation. Fortunately, the refunds had not yet been released and no loss was incurred. This incident is a good reminder that for any key financial system we must:
· Grant access to only those individuals who require it to perform their duties
· Grant only the minimum access required
· Periodically change our passwords – the FRHI standard is every 90 days. This would be a good time to reset passwords on systems not managed by FRHI (such as merchant services, online banking, etc.)
· Ensure user access for ALL key financial systems is included in the Director of Finance’s quarterly review. This includes merchant services, online banking, etc.
ATTEMPTED WIRE FRAUD
Please be advised that we have recently been targeted in a fraud attempt. An email was sent from Michael.Glennie@frhhi.com (note the extra ‘h’) to the Corporate Controller asking her to urgently process a wire payment to the bank account of an entity in Hong Kong. The discrepancy was diligently identified and a note was sent to Michael asking him to call to confirm the payment. Wire fraud involving the impersonation of an executive is all too common these days. Steps you should take to validate legitimacy of payment requests:
· Respond only to business email accounts for correspondence on payment instructions and prohibit the use of personal emails.
· Follow an acknowledgement procedure, in which staff are expected to forward the email to the executive to confirm receipt of instruction. An email reply would simply go to the impersonator, but a forwarded email would pick up the executive’s true address.
· Implement additional procedures around high-risk payments with numerous red flags such as urgent, company-domiciled offshore payment in foreign currencies and new beneficiary accounts.
If you’d like to learn more, here is a link to Bank of America’s best practices for fraud prevention - http://www.bofaml.com/en-us/content/best-practices-for-fraud-prevention.html
Thanks to your continued vigilance we have consistently identified these fraud attempts thus far but with increasing sophistication of these fraud schemes I ask you to be extra cautious when processing payments and question anything that is out of the ordinary or that isn’t properly supported and verified.