Is a Fraudster Romancing You? How to Know and What to Do About It!

It’s February, and romance is in the air! However, what you don’t want is for a scammer to woo you into doing something you shouldn’t. Unfortunately, fraudsters are always upping their game and developing new techniques to rip off unsuspecting AP professionals. Some of their latest gambits involve getting close to you on a personal level in order to get you to let your guard down.

In this fascinating podcast with Debra R. Richardson, vendor master file expert and certified fraud examiner, and Royce Grayson Morse, IOFM’s managing editor, we explore sneaky new ways those looking to steal from your company attempt to lure you in. One of those techniques involves a form of social engineering called malicious elicitation. Here, the scammer gets information from you in what appears to be a completely innocent manner — but is instead a well-crafted ploy to get you to reveal company information that should be kept confidential.

Listen to the podcast to find out how one major company almost fell victim — and learn how to spot these scams.

Find out more about the latest “romance” scams:

• Debra Richardson’s Romance Scam Resources (Debra’s website, Putting the AP in hAPpy)
• Online Romance Scams Toolkit
• Elicitation — A Conversation With Intent
• The hottest new dating site: LinkedIn (Business Insider)
• Love Is in the Air And It’s Full of Scammed Money (Kubikle series, YouTube video)
• A Lesson Learned From a 2020 Tesla Insider Threat (Debra R. Richardson podcast)
• Russian National Pleads Guilty After Trying to Hack a Human at Tesla (SecureWorld)

Debra Richardson

Debra is an Accounts Payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors, and Aramark. In her consultancy, she works with vendor onboarding teams to add authentication techniques, internal controls, best practices and vendor validations to prevent fraud, fines and bad vendor data. A Certified Fraud Examiner (CFE), she is the President of the Central Atlantic Region IOFM Chapter and IOFM’s Ask The Expert for the Vendor Master File category. She hosts a weekly podcast “Putting the AP in hAPpy” and has a YouTube channel where she posts weekly tips on the vendor setup and maintenance process.

Royce Grayson Morse

Royce Grayson Morse has been working with IOFM for the past eight years, writing and editing content about Accounts Payable, Accounts Receivable, automation, and industry trends. She has worked on the IOFM Certification Guides and written the associated examinations; edits the annual 1099 and 1042 Master Guides; conducts podcasts; and manages the IOFM.com website content.

Transcription

Grace Chlosta: Welcome to the IOFM podcast. This is a podcast for accounts payable and accounts receivable professionals who want to stay in the know with current AP and AR trends and ideas. We'll be interviewing professionals in this space on a wide variety of subjects, including automation, artificial intelligence, career growth, compliance, leadership, and much more.

Today we'll be interview Debra Richardson. Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies, including Verizon, General Motors, and Aramark. In her consultancy, she works with vendor-onboarding teams to add authentication techniques, internal controls, best practices, and vendor validations to prevent fraud, fines, and bad vendor data.

00:00:57 

A Certified Fraud Examiner (CFE), she is the president of the Central Atlantic Region IOFM Chapter, and IOFM's "Ask the Expert" for the vendor master file category. She hosts a weekly podcast, "Putting the AP in hAPpy," and has a YouTube channel where she posts weekly tips on the vendor setup and maintenance process.

She'll be interviewed by Royce Grayson Morse. Royce Morse has been working with IOFM for the past nine years, writing and editing content about accounts payable, accounts receivable, automation, and industry trends. She has worked on the IOFM Certification Guides and written the Associated Examinations, edits the Annual 1099 and 1042 Master Guides, conducts podcasts, and manages the IOFM.com website content.

Royce Morse: It's Valentine's Day today, and romance is in the air. What's that got to do with fraud scams in the workplace? Well, we're going to find out today. We're talking to Debra Richardson, vendor master file expert, and a Certified Fraud Examiner. Hi, Debra. How are you?

00:02:00                     

Debra Richardson: How you doing, Royce?

Royce Morse: I'm doing fine.

Debra Richardson: Thank you for having me on today.

Royce Morse: This should be a fun conversation. I'm looking forward to this one.

Debra Richardson: Yeah, fun or frightening. We'll see. [laughter]

Royce Morse: A little bit of both, right? Tell me, what's the connection between dating scams and fraud in accounts payable? Are there similarities?

Debra Richardson: Yeah, so it really has the foundation of our digital life. We're online, right, swiping left or right — right for partners — keeping up with the babies on Facebook, right? That's really the only reason I'm still on Facebook because that's the only place I can keep up with all of the babies.

00:02:55

But we're also online professionally, looking for jobs, educating ourselves. And for most of us that means you have to have that LinkedIn profile. And if you have a LinkedIn profile, you are tied to your company and you have your job title on there, and that means there is a hierarchy out there for anyone — really including the fraudsters — to access. 

The bottom line is that fraudsters are just stalking us online. They know where we work. They know who's in our hierarchy. They know who we are connected with socially. And it's really worth it to them across the board, because if you look at the FBI's 2022 IC3 Report (Internet Crime Complaint Center Report), the fraudster that perpetrates business email compromise, where they try to divert vendor payments, that average payout for them is $123,000.

00:04:12

I don't know about you, Royce, but even if I only have one a year, that's worth it to me to stalk people across multiple social media accounts. Is that worth it for you? 

Royce Morse: Well, I mean, you could live on that, right?

Debra Richardson: Yeah, we can live on that. But then, if you go further and you look at the statistics from internal fraud — and this comes for the Association of Certified Fraud Examiners, which is the largest anti-fraud organization; they really focus a lot on internal fraud. What they say is that they estimate that five percent of revenue per year is lost to internal fraud, and that the average loss per case is $1.8 million.

00:05:05                     

Royce Morse: Oh, my gosh. That's a lot.

Debra Richardson: Yeah. And then there's one more I wanted to say. So ransomware — we hear about that all the time. According to Sovos, the average loss due to ransomware was $1.54 million. Again, all of those really motivate fraudsters to do whatever it takes — stalking us across multiple social media accounts — to perpetrate that fraud. It's really worth it for them, and so that is exactly what the7y do.

Royce Morse: Sure. So I have a question about their MO. Let's say they find you on LinkedIn, and they see that you have a high-level AP role and that you probably have control and access to a lot of company funds. They single you out. How do they approach you? What's their technique?

00:06:02                     

Debra Richardson: So let's talk about LinkedIn. I will tell you this article really surprised me, and I don't know why because it probably shouldn't. There was a January 4^th article out there from Business Insider, and the title of it was "The Hottest New Date Site: LinkedIn." And so listeners, if you guys want to Google it, you can Google it, and it'll come up. But the subtitle is especially interesting. It says "People are mixing business with pleasure on the jobsite. What could possibly go wrong?" [laughter]

00:06:44                     

Royce Morse: Oh, boy. Use your imagination, right?

Debra Richardson: I know. And they quoted one user who said that, on LinkedIn, she figured she could fairly assess whether a romantic prospect's employment history, education, and career aspirations lined up with the kind of partner she envisioned for herself. And then, at the very least, she would know whether the person had a job. I get that. [laughs]

Royce Morse: Well, yeah, except you can lie and make stuff up, too. There's nothing to stop you from you doing that.

Debra Richardson: Exactly. And that is the problem because that is what fraudsters will do. They will create a profile. Let's just say it used to be a little bit harder for them because they had to steal someone's profile picture, and you could do like a reverse image search and see that that profile picture actually belongs to someone else, and so that could be a hint and a half that it's fraud.

00:07:48

But nowadays they can use AI and just create a whole new profile picture. You can't even do that anymore. They will go ahead. They will create this profile, something that they know might be appealing to you, and look at your connections and try to get connected to your connections, right, try to get connected to you. But they can just purchase the membership, or whatever that is, that LinkedIn will — 

Royce Morse: Premium, or something like that?

Debra Richardson: Yes. Which will allow you now to start DM'ing folks. They can DM that that person that has that high-ranking title or position, where they can put through a payment. They can DM that person and just start talking relationship or talking something in general, where you're not especially — it's not really a red flag, because you look at this really nice profile, with this really nice, appealing profile picture on it, and they pick up the relationship from there and, again, try to get you to the point, eventually, where they can get you to change some information so they can divert a payment, or get you to accept that or open that email, that work email message, that has a ransomware file in it.

00:09:27

There is lots of opportunity for fraudsters on LinkedIn. And unfortunately, nowadays, there are AI tools out there that can help them appear more legitimate. 

Royce Morse: Wow, yeah. I hadn't thought about the AI aspect, but, yeah, that's really scary.

Debra Richardson: Yeah. And there's one more thing, too. This was before we started hearing a lot about deepfakes and AI and how that's allowing the voices to be changed and the deepfakes with the videos.

00:10:10

I, in the past, have posted new scam alerts about jobs. Again, people are using LinkedIn for jobs. How many of us — myself included, in the past — have received an email from a recruiter, and that recruiter says, "Hey, we have a job that might be a fit for you"? And then you go through these interviews — and nowadays everybody's used to the virtual interviews. Well, the virtual interviews are deepfaked. They don't know. The legitimate candidate doesn't know that these are deepfake interviews, and they tell them in the last interviews — and, yes, there are a series of interviews, right, because they have to be convincing. 

00:11:02

But in that last interview, they say, "Hey, we are so happy. We think we're going to go ahead and offer you the position. We're going to send you an email that contains your job offer." So the person is very excited — they got the job. They tell them in the interview, "We're going to increase your pay. You're going to love it. Make sure you open up that job offer when it comes to your work email." And, Royce, guess what that job offer actually is. 

Royce Morse: Yeah, I can imagine.

Debra Richardson: Ransomware.

Royce Morse:  Malicious software, yeah.

Debra Richardson: Yes. And the person is waiting for it. They're looking for it because they're excited. They're not thinking, "Well, why didn't this come to my personal email?" They're not thinking that. They want to see what their new salary is going to be.

00:12:02

Yes, LinkedIn. I hadn't thought about the fact that it was deepfaked and AI. That's how they were doing the job interview process. That is exactly how they're doing it, and they're finding those folks on LinkedIn for candidates. But the same type of thing can happen when you have a relationship that you think might be blooming into a romantic relationship. Again, all that can start on LinkedIn. 

Royce Morse: All right, so I've heard this term — and it's a bit of a tongue-twister, but maybe you can explain it for me — called "malicious elicitation." 

Debra Richardson: Yeah, you know what? I'm not going to say that five times in a row! [laughter] But, yes, malicious elicitation. Probably the slowest I will talk this whole podcast.

00:12:58

I have to give credit for that term. Usually you just hear the word "elicitation," but "malicious elicitation" really came from a Dr. Deanna Caputo. I saw her at a conference in Florida, and she used that phrase in her presentation. This conference had a lot of cybersecurity awareness training professionals there, and what she was saying is that we need more than just "don't click on that link" type of training. We need training to recognize when fraudsters are trying to elicit us. It was a very interesting study, by the way.

00:13:46

The FBI defines elicitation as a technique to collect information that is not readily available, and do so without raising suspicion that specific facts are being sought. They really call it a conversation that has a specific purpose. If you think about it, social engineering is the same way. 

So how to avoid the malicious elicitation that you may receive on Facebook, LinkedIn, or other social networks? I will reference an article from Security Through Education. The article is really talking about elicitation, and they're talking about it from the point of view of the threat actor or the fraudster really telling them how to go about elicitation, telling them they can set their goals, observation and research, open the door, do some active listening — how they, themselves, can plan and exit. 

00:14:54

But at the end they also talk about how you can protect yourself from malicious elicitation with these same types of elicitation techniques, so I'm going to go ahead and list the eight. The first one is ignoring any question or statement you think is improper and changing the topic. The second one is deflecting a question with one of your own. Oh, my God. All I remember is hearing my husband say I'm answering a question with a question. Anyway, the third one is responding with "Why do you ask?" The fourth one is giving a nondescript answer. That's similar to number five, which is stating that you don't know. Number six is stating that you would have to clear such discussions with your supervisor. Number seven is referring them to a business website. Number eight, the last one, is stating that you cannot discuss the matter. 

00:15:57

Some of these, especially the first three, are ones you typically use in both personal and professional conversation. I even talked about that second one really resonating with me, deflecting a question with one of your own, because I often do answer questions with questions, so that's a me thing. 

These are things you can do if you get uncomfortable with the questions that are being asked by someone DM'ing you on LinkedIn or Facebook. 

Royce Morse: Yeah, absolutely. So can you give us an example of what that might look like?

Debra Richardson: Yes. And so, again, the fraudster can start by DM'ing you, really stalking to find out what virtual events you are attending, if they want to do it virtually. Going back to LinkedIn being that dating site, I saw recently a LinkedIn Live and, as of the taping of this podcast, it was like last week. It was February 6^th, actually, last week.

00:17:09

The LinkedIn Live was titled "Are You Ready to Stop Being Single?" And so if I was a fraudster on LinkedIn, I would definitely attend that LinkedIn Live and just start commenting or reaching out to those folks that attended or are attending that LinkedIn Live. But one other way that you can do it in public — because they go offline, too, in real life — is that they will meet someone at a public function. During that natural "getting to know you" process, maybe they'll do things that most people do. They'll complain about their job and you'll complain about yours. 

00:18:00

You might think it's harmless because you're not telling them where you work. But you know what? You don't have to tell them where you work because they already know. They have stalked you across LinkedIn. They have stalked you across Facebook. That's how they know where you were going to be. And so they show up and they target you. That's exactly what happened to a Tesla employee. 

Royce Morse: Oh, boy. Let's hear about that.

Debra Richardson: So back in 2020, there was an article — I think it was in 2021. It was from SecureWorld and it was titled "Russian National Pleads Guilty After Trying to Hack a Human at Tesla."

Royce Morse: Hack a human — oh, boy. 

00:18:49                     

Debra Richardson: Hack a human. You got it. I hurried up and opened up that link. In any event, they walk about — it was a fail, so that's really good, but they talk about that foiled 2020 attempt where they tried to recruit a Tesla employee to assist them in launching ransomware. So it wasn't like they were trying to fool him into opening it, like I talked about with that job offer. But in this one the ransomware operator, their MO or business model — because it is a business to model — is they just like bribing insiders.

So what they did is they connected to a connection of that Tesla employee and decided they were going to launch that attack. The cybercriminal, again, found the victim through a mutual connection. They established an in-person relationship, even paid for an all-expense trip to Nevada, to Vegas, and they ended that with a million-dollar bribe. 

00:20:06

Now, luckily, the employee caught onto the scam. They reported it to Tesla and then it went to the FBI, which is how we all heard about it. Just as a side note, it's really important to report these things so that everyone else knows what the cybercriminals are up to now, and they did. That's how they got to that employee from Tesla, from a mutual connection. They found him. They didn't say how they found where he was going to be, but, again, you could look at Facebook and find that out, or maybe also Instagram is a good one as well. Find out where they're going to be and then just start that in-person relationship and see if you can convert them. In this case, again, it didn't work. But you never know. 

00:20:56                     

Royce Morse: Well, that's pretty blatant. So this person recruited their target and basically wined 'em and dined 'em and paid for a trip, and then blatantly said, "I will give you a million dollars if you launch ransomware on your employer"?

Debra Richardson: Correct. I'd like to say that when I was a manager none of my employees would've done that, but you never know what employees are going through. Again, going back to the Association of Certified Fraud Examiners, if you have employees that have that fraud triangle — maybe they have some financial pressures, maybe they can rationalize — "Well, you didn't give me enough of a raise." Or, "I've been doing two jobs for I don't know how long, because they can't find anyone to replace them." And we know that has been an issue in that past.

00:22:02

And then maybe that employee also has the ability to change vendor remittance. So you have that fraud triangle. All three are something that the employee has the ability to do or has the reason to do it. Technically, that could really go a different way, right? Luckily, it didn't happen with Tesla, and I'd like to think that it would never have happened with any of my employees, but you just never know where your employees are at any given time. That could still happen. 

00:22:51                     

Royce Morse: Absolutely. And I think some people feel if they are constantly passed over for promotion, or they're not being paid enough, or whatever, or they find themselves, as you say, in some financial difficulties, it gets real tempting if they have the ability to do it. I've heard this. There are several articles on IOFM's website as well that people can check out. People will say, "Well, I'll just do it this one time because I have a mortgage payment coming up, or I owe somebody some money," or something like that. "I'll just do it this one time." And they get away with it, so it's very tempting to keep on doing it. It can go on for years, especially in small organizations where there are no checks and balances.

Debra Richardson: Exactly. And most of them do go on for years, Royce, before they are found. One of the big things is really that lack of oversight and lack of internal controls. But what's really interesting about this one is that it was in 2020. We all know what happened in 2020.

00:24:03

In 2020, because of what happened, there were probably more folks that had financial pressure because maybe their partner no longer had a position. Maybe they could rationalize it even more because not everyone could get up and running when accounts payable, and really everyone, abruptly went home. So maybe they were doing more work because they could get up and running, and because they had the access (meaning the opportunity) to make that change. The fact that this happened in 2020 and wasn't successful was really — I won't say lucky for Tesla, but it definitely even more had the potential of going the other way. 

Royce Morse: Absolutely. If you are working in accounts payable, how do you protect yourself from getting taken in by this? It seems like the fraudsters are getting very good at romancing people at a very personal level and gaining their trust and then starting this — it seems like it could take a while, like it's not an overnight thing; it's not one and done. If you're a fraudster, you're going to have to put energy and time into building this relationship, then gaining somebody's trust and being patient until you feel like the time has come where you can make your move. How do you detect that? What are the red flags?

00:25:37                     

Debra Richardson: I would say it's getting harder and harder, because, again, we share so much that people can find ways to make themselves appear legitimate with us because they know what we like, they know what our interests are, and it's just kind of hard.

I shared this with you before. I had a romance scam video on my YouTube channel. I had posted it back in 2022, about romance scams and how to protect yourself from it. I looked at the number of views from February 8, 2022 until now, which is two years later. I had 12 views of that video because nobody thinks — at least definitely not at that time, and probably it hasn't changed much now — that they're the victim of a romance scam. 

00:26:48

You combine that with being a victim of fraudsters that are trying to get to your work life, you can think that that's not what they're doing either, right? It can be right up there with romance scams, where you just don't think that that's happening. And so one of the biggest red flags is if they ever start to ask you for money, and you can see that as one of the prevention or red flags or fraud prevention techniques that you see. The Federal Trade Commission will say that. Other organizations that help to prevent fraud will say that as well.

I think, when we're talking about our work life, even if they get to us or our employees through our social media digital life, work life, we should still have those internal controls, processes in place so that even if an employee falls victim to the fraudsters, that it won't result in a fraudulent payment. So it really comes back to having internal controls, authentication techniques, vendor validation, best practices in place to make sure that, even if someone does fall victim to it that it won't turn into payment fraud. 

00:28:29                     

Royce Morse: Right. So you'd be talking about something like a separation of duties, where the person who makes the changes to the vendor file can't initiate a payment, something like that?

Debra Richardson: Yes. Let's say they do make a change to the banking information, then having some internal control in place, like contacting the vendor — because I do know we have issues with that confirmation call. A vendor doesn't always pick up. You can't get through.

00:29:04

And I've heard even that some vendors will not confirm their banking over the phone. If you think about it, they don't know who we are either. So there are other controls, too, that you can have in place to make sure that, even if the banking does get changed, it won't result in that fraudulent payment. 

One that I really like, and I talk about it quite often, is instead of (or in addition to) making that confirmation call before you make the change, after you make the change and when that payment is sent to the bank, or sent out in a check because they're targeting remittance addresses for check payments, too, just contact the vendor afterwards. Not really for a confirmation of banking, but a confirmation of the payment. 

00:30:01

Make sure that they received the payment. And if they didn't receive the payment, now you have time to contact the bank and recover the funds within the bank's threshold, because if you wait for the vendor to notice that the payment hasn't be made and they contact you, that could be days, weeks, or months later. It could be too late to recover it. 

Make that payment confirmation call once that payment goes out the door so that you can verify that the vendor received it. That's a great additional control to put into place to make sure that you don't have that payment fraud. 

00:30:49                     

Royce Morse: That's great advice. I'm very suspicious myself, by nature, so I think we just need to not be as trusting — which is unfortunate, but, in this day and age, we have to be very wary of anything that looks too good to be true perhaps.

Debra Richardson: I hear a lot where fraudulent emails can come through and you find 'em, so you feel all good, "Yay, I caught it!" But sometimes those fraudulent emails will come through intentionally with spelling errors, context errors, because they want to just weed out the folks that aren't going to find it, or aren't going to fall for their next level.

00:31:47

If you do receive something like that, be wary of that as well because they're just trying to see if you're going to find it. The fraudsters have the ability to use ChatGPT or WormGPT or FraudGPT — whatever the fraudsters' version of it. They have the ability to use that and other AI tools so that when you receive that email it's pristine. So if you do receive that fraudulent email that has grammatical errors and errors of context, that might be a hint and a half that you (or your company) is being targeted, so you might want to check with all of your other employees to see if they clicked on it and then will get the next version of the scam. 

00:32:38                     

Royce Morse: That's interesting. They test the waters first to see if you're vulnerable.

Debra Richardson: Yes.

Royce Morse: And if you're not, I assume they move on to another victim. But if they feel like there's a vulnerability there, they're all in on it.

Debra Richardson: They're all in on it, yes. It's getting really hard out there. But, again, making sure you have those authentication techniques, internal controls, best practices, vendor validations, especially if you are still handling bank changes, receiving vendor supporting documentation via email, you just have to have those things in place.

Royce Morse: Absolutely. Well, I appreciate the conversation. It's been very enlightening. I guess the short version of that is: Don't let a scammer romance you, either on a personal level or on a professional level, and keep your guard up.

00:33:35                     

Debra Richardson: I like that. Romance you professionally or personally.

Royce Morse: Yeah, you've got to watch out. Things have gotten very difficult, as you mentioned. With AI, it's become a real challenge. Be suspicious of pretty much everything and verify. Use your internal controls, your checks and balances, and don't fall for it. Don't fall for it.

Debra Richardson: I agree with that.

Royce Morse: Well, thank you for the conversation. I've really enjoyed it.

Debra Richardson: Thank you, Royce. I enjoyed it, as well. Thanks for having me.

Royce Morse: My pleasure.

Grace Chlosta: Thank you so much for listening to the IOFM podcast. Remember to head on over to the Member Forum to discuss today's episode and provide ideas for our next one. And to stay up to date on IOFM's current events, both in-person and virtually, head on over to IOFM.com.