Got scammed and Employer called me stupid

[FidoO5]

Made a massive error at work
I pay suppliers. We had new supplier who emailed to change bank details from original bank details. We usually phone supplier to confirm but it was over and back for a while and it was getting urgent.
I asked them to confirm new details and I sent the payment.
later it was discovered by the original supplier while on phone to buyer that they did not request to be sent to new bank.
My Employer was notified by the buyer and employer said how could you be so stupid.
I broke down and cried when I came off the phone.
I was able to recall the payment but now have to worry about what Employer will do tomorrow. I understand he was angry and annoyed but I am doing Accounts for 35 years so don't think I'm stupid.
I fell for a scam.
Don't know what point off my post is only getting it it in a note makes it helpful
What should I say to Employer tomorrow
If I say yes I made an error his answer is that is not a good enough answer.

If it is the buyer who calls to check bank details that’s not a great control as it doesn’t guard against collusion between the buyer and the supplier or a buyer setting up a fake supplier- collusion with accounts also possible but less likely as would be harder to approve the purchase without a budget to allocate to. It’s usually finance who call the supplier via their switchboard number to confirm bank details.

It’s not op’s job to do that. This to me is a procedures issue.

This is such a well known scam by now, that if anyone in your team fell for it - particularly someone with a lot of experience - then there is an issue with the procedure and training.
You should suggest to your boss a review and update of the SOP on payment management (if you don't have an SOP, suggest to write one).

Change in banking details should absolutely be confirmed before payment, ideally using the 4 eyes principles (meaning that 2 individual are involved in the review, e.g. 1 call the supplier to confirm the new details, and a 1 signoff internally that the new details are correct).

This is a well known scam and you should have followed procedure for the change of details. Unfortunately this is totally on you and your employer is right to be annoyed.

Has your boss provided cyber security training? We have to do it and one key thing we are taught is that emailed changes to account/payment details should always be confirmed with a phone call. If your boss hasn't given you that training then he's the stupid one

Why can't you accept that you were stupid? You're very lucky they got the money back. I think you got off very lightly if all you get from sending £57k to a scammer is called stupid tbh. I would be hoping you don't lose your job.

I will not drop anyone else in
A stupid position to take. You correctly inform them of the steps that lead to the error. This isn’t the time for some moral stand / martyr complex.

We have all made mistakes at work, we are only human. You need to go into damage limitation mode if you want to keep your job.

I fid my cyber security annual refresher yesterday. This is literally the playback "create urgency" part of phishing.

You are lucky not to have git your marching orders OO. I would have if I'd done that.

Procedures are there for a reason

No payment cannot wait 24 hours if you are unsure. Phone verification should always be done using the number on Google not anything on documents that have come in by email.

I would suggest an improvement to the process where there is a form detailing the checks done and you don't update the system until you have received that signed form.

Well Op has only added that rather important detail later, so many of the replies will be based on her original op

It was stupid mistake, but you are not stupid. Careless in that instance. You won't make that mistake again.

In my business I treat mistakes as an opportunity to refine operational protocols. Especially as scams against businesses are rife.

My company debit card was held with a few suppliers. I noticed that someone had used it to pay off a loan once. Presumably hoping the payment would get lost in amongst all the other high value transactions. Can only be a staff member at one of my suppliers.

As soon as the bank refunded the money I cancelled the card and only give out an Amex now.

Take a deep breath.

Write down the process step by step.

Write down everything that happened.

Point out where you and others did not follow the process.

Apologise for your part in the problem.

Don’t take responsibility for the mistakes of other people or for a poor process. Sounds like you were not the only person in the wrong.

Suggest solutions.

He should not have called you stupid. You should have the experience and the confidence to stick to the process even when a colleague is pressuring you.

All the best for today.

Even if it’s somebody else’s job to do that surely the person doing the calls has to confirm with the people making the payments it’s ok to do so
so whilst OP doesn’t make the calls surely she has to have confirmation of the people who do that the check has been done before she proceed
so OP knows these checks are done but didn’t find out if it had been done

the blame is still on OP

I’m sorry, but we would’ve fired you for that. You’re lucky if you still got your job never mind. Just called stupid.
You won’t be able to recall the money it’ll be gone

Double authorisation in this kind of case isn't enough. You need specifically to contact the supplier using the phone number recorded for them in your system and to speak to someone there to verify the bank details. The process needs to be much more detailed and precise.

It’s more common than you think, like someone else said your company may have cyber insurance and should offer regular training to employees as a condition of this insurance

An email changing bank details is exactly the kind of scam people are / should be aware of

OP didn't confirm by phone. Again, a common precaution that people are / should be aware of

This wasn't a sophisticated scam

OP, I'm glad you were able to recall the payment

She didn’t follow procedure which is the entire reason the scam worked. She ignored procedure.

He was really out of order calling you stupid but surely you need to take it on the chin for not calling them to check it was legit ?

My understanding from the OP’s post is that it was not her responsibility to make the confirmation phone call, it was the buyers. Her responsibility was to check the buyer had made the call. So while she is not blameless, she is one of at least two people responsible for this failure. She should not have buckled under pressure from her colleague or the scammer but she did successfully recall the payment and should be acknowledged for that.

Did you even read the OP?

Op if your follow up post is the actual process - you absolutely need to tell your boss who didn’t make call when they’re supposed to do so. Choosing not to dump on someone could literally cost you your job. If you’ve explained the situation to your boss as you first did to us - though of course they should know the process - it does make you look stupid. If the Canadian team are actually responsible because of time zone issues then you need to document exactly where the process fell down.

Send that email so it’s with your boss when they come online this morning!

OP, I think be confident and upfront with your boss about it.

Say you made an error and you have gone over the whole communication that led to this and identified the exact moment you could have stopped, but realise that that is exactly where the scammers put the pressure on.

Include the communication with the colleague. NOT in the spirit of ‘it wasn’t my fault’ or trying to evade responsibility but as a factor in how pressure built. The time zones and people being busy are relevant in the build up of pressure and it may be there needs to be a contingency built into the process.

Take responsibility, show you have analysed how it happened (I would have a bullet point timeline of all Acton’s and communications during the process, including with colleague - it’s not his fault he was bushy!) and how you will not let this happen again. With suggestions about the process if appropriate.

Good luck!

You have to send those emails to your boss/your IT team, if the pressure was coming from the 'buyer' and 'admin' in your company and they were avoiding answering a question about whether the bank details have been verbally confirmed it may be that their accounts have been compromised. It sounds like you didn't follow a procedure under pressure from colleagues to move forward on a change of details, which either is part of the scam or your company needs to be aware that creating pressure like that for supplier set ups is risky because it can lead to processes being bypassed

Clearly the buyer is happy to drop you into it, so why wouldn't you do the same in return? It's the buyer that either fell for the scam, or he's involved in the scam himself.

Alternatively the buyer and admin email addresses have been hacked. They need to get IT involved.