When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.
Options (sms or email)
I wonder how this could have happened...
https://en.wikisource.org/wiki/Manifesto_of_the_Communist_Pa...