Five Tips to Prevent Vendor Impersonation Fraud

by Angela Sarno

VP Marketing

This post was originally published in March 2022 and has been updated in September 2023 for accuracy and comprehensiveness (and because vendor impersonation fraud does not quit).

It’s a great time to be in vendor management. Automated solutions and emerging technologies are gaining momentum and making everyone’s lives a little easier.

But there’s a flip side. And that is the growing swath of bad actors who have become increasingly sophisticated in their fraud attempts.

Topping the list of sneaky scams is vendor impersonation fraud.

This is when a fraudster poses as a vendor of a company in an attempt to bilk thousands or millions of dollars from that company. How does a bad actor do this? By creating and sending fake invoices. Additionally, bad actors can also email an organization saying that they need to make “changes” to their banking and payment details.

What Does Vendor Impersonation Fraud Look Like?

Vendor Impersonation Fraud Impacts All Businesses

#1 Be Wary of Emailed Information

#2 Automate Vendor Verification

#3 Slow Down!

#4 Don’t Take Shortcuts

#5 – Channel Your Inner Sherlock Holmes

The Best Advice is Automation.

How Vendor Management Day Can Help

Want Help Preventing Vendor Impersonation Fraud?

Get Regular Vendor Management Tips?

Want Personalized Guidance on Your Vendor Management Strategy?

What Does Vendor Impersonation Fraud Look Like?

Vendor impersonation fraud can manifest in several ways. Let’s look at a couple of examples.

Example #1

First, a hacker breaches Remote Learning Co.’s system and hacks Jackie Smith’s email account.

Then, posing as Jacki Smith, the hacker sends an email to Little City University, one of RLC’s clients. The hacker states that they want to make updates to payment instructions.

The email asks Little City U to send future payments to a new bank in the Maldives.

At the next invoice due date, Little City U directs payment to the new account at the bank in the Maldives – for $1.2M.

Finally, Little City U becomes (painfully) aware of this error after receiving a phone call from RLC regarding unpaid invoices. Uh oh.

Example #2

A bad actor sends a letter on fraudulent bank letterhead to Little City U stating that a vendor’s banking information needs to be updated.

Since the letter is a really good fake, the accounting staff makes the updates to the ERP system and pays future invoices according to the fraudulent information.

Then, weeks or even months later, the vendor reaches out concerning unpaid invoices.

Vendor Impersonation Fraud Impacts All Businesses

No one is immune. Organizations of all sizes around the country continue to be top targets of fraudsters, everyone talks a lot about ‘being careful’ with vendor onboarding. But how does ‘being careful’ avoiding scams actually manifest in the day-to-day duties carried out by those folks tasked with onboarding new vendors and managing vendor changes?

To find out, we went straight to the source and asked the people who work on the frontlines of vendor management.

Below is their advice for keeping your organization off a fraudster’s target list and out of the headlines!

The great news? Many of these pearls of wisdom could be put into play by your vendor desk person as quickly as today. (75% of you deal with an attempted or actual fraud every year!*)

#1 Be Wary of Emailed Information

“Don’t take anything at face value; if in doubt, check it out! Google is my best friend!”

Emma Foster
Former Accounting Department, KFS Vendor Onboarding
University of California, Irvine

Zero trust in emailed information tops the list when it comes to sound advice on ‘being careful’. In fact, in 2022 the FBI reported that nearly $2.7 billion was stolen by business email compromise scams.

Ms. Foster at UCI double checks any submitted information that doesn’t seem to add up, perhaps a new address or phone number. A quick Google search might turn up something that could explain it. But there’s one big caveat to all of you Google searchers. Not everything you see online is what it seems. Searching is a great first step, but it shouldn’t be your only step!

#2 Automate Vendor Verification

“I would have to say that doing whatever it takes to ensure the information you are gathering is coming from the actual vendor. That used to mean only accepting hand-signed documents when we accepted vendor information, or now, relying on a 3rd party platform to facilitate it.”

Miguel Silva
Contracts and Procurement Analyst
California State University, Monterey Bay

The team at CSUMB used to go to painstaking effort to verify all incoming vendor information, sometimes using Ms. Foster’s approach, but several years ago, turned to a third party vendor to validate the vendor information on their behalf (that would be us!).

Find a trusted partner to verify vendor information such as phone numbers, addresses, tax ID or banking information.This can go a long way towards bringing peace of mind to the vendor desk, not to mention creating meaningful efficiencies.

#3 Slow Down!

“Never take anybody’s information and react to it quickly. If somebody contacts you and needs to change their banking information or anything related to their vendor status, I would recommend taking that information down, collect as much data from that person as you can, a phone number, a valid email address, and then set it aside. Because a lot of times if you react to it, and you’re right in the middle of your normal everyday duties, you can seriously miss something. But if you can set it aside and say, “I’ll be glad to check into that later.” It gives you a chance to pause on it and when you get done with whatever it is you’re doing, you can give it your full undivided attention. In other words: slow down.”

Thomas Nunn
Procurement Officer
Cabarrus County, NC

In other words, speed often leads to mistakes. Mr. Nunn’s advice to not act on any changes when you are distracted is a salient piece of wisdom. Fraudsters almost always use a sense of urgency to get the vendor desk person to miss a detail or not follow protocol.

We cannot stress enough the importance of being wary of urgency; urgency should almost always be a red flag for you. If someone has created the sense that something related to a payment needs to happen right now, you can almost guarantee it’s a fraud attempt. Take Mr. Nunn’s advice and slow down.

Read our case study about the aftermath of a $2.3 million dollar fraud at Cabarrus County, and how the county adapted and improved their process.

#4 Don’t Take Shortcuts

“You need to hold your ground when folks want to take shortcuts. We do things for a reason, and we need to protect the university. Some of the decisions that we make are not popular. It’s not supposed to be what’s popular. It’s supposed to be what’s right.”

Wendy Grayauskie
Assistant Director for Procurement
Villanova University

On a related note, sometimes that pressure and urgency can come from within your own organization. Someone in a hurry, or someone who forgot to get the PO moving, will push to have rules ignored “just this one time”.

In 2021, the insurance broker Willis, Towers, Watson published statistics that 74% of financial losses from social engineering were the result of a process not existing or not being followed. While fraudsters often target AP, Finance and Procurement departments, they are not the only targets out there.

Any person at your organization who is dealing directly with a vendor could be a target for social engineering. As Ms. Grayauskie says, you have a procedure for a reason, stick with it. (And if you don’t have a procedure, start now!)

#5 – Channel Your Inner Sherlock Holmes

“Use every available source you have to validate submitted info. While BGSU uses a 3rd party for validating submitted info, I do sometimes need to validate items myself. When I do, I use past invoices and PO’s, internal sources who have worked with the vendor before, and, when necessary, I pick up the phone and call the vendor directly – using a phone number that is confirmed to be associated with the business. Sometimes you need to be a detective!”

Lorna Przeslawski
Former Procure to Pay Analyst, Current Purchasing Systems Specialist
Bowling Green State University

Calling vendors to validate information is a time-consuming but great method to have in place. However, it’s worth it to note that with so many people working from home you are likely not reaching the vendor with your outbound phone call.

If the vendor calls you back from a different number than you used to call them, you are right back to the “identity gap” problem. If you cannot authenticate that number as belonging to the vendor, then you cannot really be sure who just called you to verify that bank account change.

The Best Advice is Automation.

Unfortunately, even when following all the best advice, it is impossible to ensure that employees will never be accidentally deceived by fraudsters who know how to fool even the best-intentioned employee into believing they are dealing with their actual vendor.

Leaders are beginning to understand that asking their people to “be more careful” – and not taking other, more meaningful steps to secure their process – is an invitation for a potentially costly mistake, not to mention a recipe for chronic sleep loss for the people who are given that responsibility.

*Association of Financial Professionals Payments Fraud and Control Survey 2021