This risk is real. Fraudsters have evolved way beyond the “Nigerian Prince” scandal of years past. They are focused. They are detailed. And they are very, very patient, often lying in wait for months before they make a play to steal your funds.
How Do They Strike?
Some popular (and successful) scams have looked like this:
SCAM I: The Spoof
LinkedIn-MartyJones@2x.png?width=235&name=SCAM%20I-1-(1)LinkedIn-MartyJones@2x.png)
A fraudster drives by your location and sees the ACME Plumbing van parked in front. Now aware that your company is doing business with ACME Plumbing the fraudster does a quick search of the company’s website and LinkedIn to find employee names (1)
Next, (2) the fraudster sends an email to your AP department from marty.jones@acme-plumbing.com requesting a change on the previously supplied banking information. In this email the fraudster even comments on what the weather was like the day they were on site for the work, giving the email a level vel of authenticity and real-ness.
@2x.png?width=300&name=SCAM%20I-email-(2)@2x.png)
emails to ask about payment. That single hyphen (3) in the fraudster’s email was the giveaway that you were not dealing with the real Marty Jones!
-graphic@2x.png?width=146&name=SCAM%20II-(1)-graphic@2x.png)
While the spoof fraudsters took the time to get some details right, in the end they could have easily been spotted with some rudimentary checks put in place. With a vendor email compromise, fraudsters are quite a bit more sophisticated.
@2x.png?width=373&name=SCAM%20II_Email_(2)@2x.png)
It begins by actually infiltrating your vendor’s email (1), usually by way of malware- getting an employee at Acme Plumbing to inadvertently click on a link that grants the fraudster the ability to access and control the email accounts of certain (or all!) employees at Acme.
These types of fraudsters are usually quite patient. They take their time and read through emails, particularly focused on customer communications and billing inquiries. When they have gathered enough information, and have the timing to know when a big invoice is due to be paid, they strike, almost always adding an additional touch of urgency. (2)
Everything about this email seems perfectly legit. The name and address match with you have been corresponding with all along. The attached invoice is identical. There is very little, if anything, to indicate this email is not from Marty Jones at Acme Plumbing.
Taking it further, a fraudster may also opt to add authenticity by following up on a previous correspondence. (3)
You will rarely have cause to doubt this correspondence, in particular if your organization relies on email as a primary source of authentic, verifiable information. The fraudster’s invoice and late fee knowledge, coupled with the email being a response to a previous thread are usually enough to push through a $47,000 payment to the wrong bank account.
SCAM III: The Business Email Compromise
There are plenty of accounts payable staff with training in how to spot fraudulent attempts, and with processes in place to verify banking changes, but when relying on humans as a defense, it only takes one moment of human-ness to cost your company dearly.
@2x.png?width=486&name=SCAM%20III_Email_(1)@2x.png)
One of the most effective means of stealing funds is to have the direction come from within one's own company.
In these cases, much like with vendor email compromise, a fraudster gains access to a company’s email system by getting an unwitting employee to click on a link. Once they have access, they watch and wait. When they see a big vendor payment coming due, they strike, as always, adding specific and significant real details to sell the fraud. (1)
Everyone at the firm likely got an email from the CEO letting them know she would be out for the holiday weekend, and that she could only be reached by email. Everyone also likely knows about her house in the mountains. What we have now is an AP staff who might know that to do this is breaking protocol on the vendor set up and account verification process, but the CEO is asking, and making it not only real, but also really urgent to comply.
SCAM IV: The “Deep Fake” Phone Call
Artificial Intelligence (AI) has arrived as a tool recently starting to gain traction with criminals. In 2019, we all learned about the first big heist using AI to mimic the voice of a company's CEO on a phone call. The fraudster successfully mimicked the real CEO’s voice in a call to an employee, and was able to direct the employee to immediately transfer funds to a new supplier. Very few employees would question such a call, leaving a huge potential fraud vector for criminals to exploit. If you are currently without the proper controls in place for an employee to rely on when he or she gets an unexpected call with directions like this, your funds are in danger of being stolen.
| Deep Fake: synthetic media in which a person in an existing image, audio recording or video is replaced with someone else's voice or likeness |
SCAM V: The Fake Invoice
Perhaps the oldest trick in the book, the fake invoice still is proving to be surprisingly effective at organizations with lax controls for vendor onboarding. Typically a fraudster will send a fake invoice for a fake company having done fake work, and the
invoice gets paid. It’s that simple- at least at an organization where invoices are paid out prior to a vendor’s credentials being vetted and a PO being issued, or where existing processes regarding onboarding are simply not followed. In 2019, Google and Facebook lost a combined $100M to the same fraudster using this method. They each paid out multiple invoices over a period of months to the same fake company. No one is immune!
What You Can Do About It
Vendor Invitations and Approvals
Start at the foundation of your vendor onboarding process: inventory who at your organization currently can initiate business with a new vendor, and document (or revisit the documentation regarding) controls in place for adding new vendors.
Questions to answer:
-
-
-
-
- Do people at your company have free rein to determine who they want to do business with?
- Do you have controls in place to limit the number of vendors you do business with in a particular vertical, for example: how many different office supply vendors do you use?
- Do you have controls in place regarding inviting or approving new vendors?
- Can business be initiated prior to an approval and onboarding of the vendor?
- Is your process followed?
-
-
-
| Social Engineering: the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes |
Re-Examine Your Existing Controls
You likely already have controls in place that prevent a single person from adding and approving new vendor information and invoices. We challenge you to re-examine these controls to determine fraud vectors that could be exploited by bad actors, both inside and outside your company walls. This examination should be done with regularity as new fraud vectors can be discovered and exploited at any time.
| Fraud Vector: a path or a means by which a fraudster is able to exploit a system or process vulnerabilities, including human ones, in an effort to divert funds, aka: an open door to steal your money. |
Questions to answer:
-
-
-
-
- Who specifically, or which department, owns the vendor onboarding process?
- Are those owners responsible for gathering the required vendor identity credentials such as W9, Tax IDs, insurance documents, or does that fall to departments?
- Are those responsible trained to spot obvious fraud attempts, fakes and forgeries?
- Are those responsible trained in detecting social engineering attempts?
- Do you have controls in place regarding who has access to vendor identity details?
- Do you have controls in place regarding who has access to changing vendor identity details?
- Do you have controls in place for the minimal acceptable standard for changing existing vendor identity elements?
- Are you using 3rd party partners to verify the authenticity of the submitted credentials?
- Who specifically, or which department, owns the vendor onboarding process?
-
-
-
Have an Audit Trail
Too often after a payments fraud, or even an attempted payments fraud, companies are often stuck trying to piece together what exactly happened: who approved this vendor, when did the change come in, how was it communicated?
Questions to answer:
-
-
-
-
- Can you clearly chart the vendor onboarding process, including who invited and who approved the new vendor?
- If approvals are needed from myriad departments (conflict of interest from HR, sanctions alerts from compliance, insurance documentation from risk), are the approvals time stamped, collected and stored in a centralized location?
- Are you collecting and storing the required vendor identity documentation with expiration date notifications in place?
-
-
-
Verify ALL Identity Elements Before Accepting Them Into the ERP
Examine your process for when a vendor submits their tax id, remit address and banking details, and, perhaps more importantly, when an existing vendor updates these identity elements. Changes to banking details is the number one fraud vector entry point for payments fraud attempts. This is a critical item to verify.
Of all of the ways you can shore up for increased payments fraud protection, this is likely the most critical area to invest in 3rd party partnerships.
Questions to answer:
-
-
-
-
Are you verifying tax ids?- Do you require verifiable documentation of a vendor’s remit address?
- Do you confirm bank account ownership and validity before making a payment?
Of note, many platforms out there will confirm that a bank account exists, but they do not necessarily confirm the ownership of that bank account. Make sure you understand what you are signing up for in a partner.
-
-
-
Insure Against Losses
Finally, despite all of your best efforts, you should still be prepared in the event your organization does fall victim to business payments fraud. Even the best laid plans are subject to human error, unforeseen circumstances and unseen vulnerabilities.
Questions to answer:
-
-
-
-
- Does your risk or cybersecurity or crime insurance policy cover losses due to email compromise?
- Does your risk or cybersecurity or crime insurance policy cover losses due to human error?
- Do you have a reserve fund set aside in case of a payments fraud that will cover anticipated losses so you do not have to cut critical budget items elsewhere?
-
-
-
You can download a pdf of the these five focus areas and the associated questions here:
When you have all five of these elements in place:
-
- Vendor invitations and approvals
- Regular examinations of your existing controls
- An audit trail
- Identity element verification
- Insurance
You can begin to have peace of mind that your previously existing fraud vectors have all been sealed off. Even so, you should regularly audit your entire process start to finish to apply new learnings and root out previously unforeseen vulnerabilities.
These sorts of efforts take time, resources and a collective agreement that payments fraud protection is a key objective of your finance department. If that hill seems too steep to climb, there are three key things you can do right now to fortify your defenses. Follow our simple plan and have an impact in less than 30 days.
