Vendor Impersonation Fraud: Takeaways and Tips from TMANY 2022

Last week, I had the honor of presenting on vendor impersonation fraud at the TMANY 2022 Cash Exchange Conference alongside Christopher Arehart, SVP, First Party Product Manager, North America Financial Lines at Chubb.

We had one hour to share with treasury professionals everything we wanted them to know about vendor impersonation scams. Mainly, that included some hard truths about vendor impersonation fraud, such as…

Why vendor impersonators are successful in carrying out business payments fraud.
Why vendor impersonation scams aren’t covered by insurance, meaning your organization loses actual dollars.
How to address organizational risk in the vendor onboarding and management process.

For the record, Chris and I could easily speak for a solid six hours on this subject, so it was a tall order to fit it into 60 minutes.

Our session at TMANY was exceptional, if I do say so. But I also recognize that not everyone could attend. If that’s the case for you, or if you attended and would like a refresher, this blog will be helpful.

Below are the top three takeaways that you should know about vendor impersonation fraud. Take these learnings back to your team and begin to implement changes that make sense for your organization.

At the very least, let these takeaways make your team more aware of the bad actors targeting you.

#1: A Good Vendor Impersonation Scam Will Be Impossible For Your Staff to Spot

#2: Social Engineering Losses are Not Covered by Crime or Cyber Insurance

#3: If you Can’t Audit Your Vendor Onboarding and Change Process, It’s Not a Process and Not Insurable

Want More Insight into Vendor Impersonation Fraud?

Want Personalized Guidance on Your Vendor Management Strategy?

#1: A Good Vendor Impersonation Scam Will be Impossible for Your Staff to Spot.

Consider fully what you are asking your staff to do when you train them on vendor impersonation scams.

Ask yourself this question: “Did I hire these people to be forensic accounting detectives?”

These fraudsters are not amateurs. Rather, they commit business payments fraud for a living. They are sophisticated, patient, and know which points in the process are susceptible to pressure.

At PaymentWorks, we’ve seen time and time again organizations making their vendor management staff responsible for spotting and stopping vendor impersonation scams. In other words, they try to make their staff be those forensic accounting detectives.

This puts an inordinate amount of organizational risk on their shoulders.

Chris did the math during the TMANY session. He calculated that a single mistake averages a quarter of a million dollars in stolen funds for an organization.

I promise you that someone on your staff is losing sleep right now worrying about making that single mistake.

“You can have the best front door in the world, but if the other side is compromised, there is nothing, and I mean nothing, that can spot a real email [that] just has bad information in it.” – Christopher Arehart, Chubb

At the risk of being provocative, here’s what I believe. The actual goal of all of the hoops, training, and stress your staff goes through is not about validating or verifying bank account ownership.

You’re actually sending this message to your staff: “Do not lose money to a fraudster.” That’s a good message. But here’s the thing. Your staff probably still will end up losing money to a fraudster. With a single mistake.

Why? Because your current ad hoc validation or verification methods make it easy for a fraudster to go unnoticed.

So what should you do to stop overwhelming your staff and protect your business? Transfer the risk off of the organization.

That’s something that PaymentWorks does. Short of offloading this risk, your process and your people will have to bear the stress.

Or, if they are, they have very low limits.

Vendor impersonation scams fall into a no man’s land between coverage by crime policies and coverage by cyber policies. They typically result in losses. This is not because your organization was hacked. Rather, it’s because your vendor’s organization was hacked, and your cyber policy will not cover this.

And since your employee did not do anything wrong (on purpose), aka, no employee malfeasance, your crime policy will not kick in.

Social engineering losses generally need to be called out specifically in your policy to qualify for coverage.

Check in with your risk folks. Find out whether your current coverage includes when an employee gets tricked, and if so, how much it covers. It might not be much.

“Our insureds have suffered nearly $140M in losses since 2017. The vast amount of this is uninsured. There is not a lot of insurance in this space. When you consider $43B [in losses], there isn’t enough capital in the marketplace to cover these types of losses.” Christopher Arehart, Chubb

#3: If You Cannot Audit your Vendor Onboarding and Change Process, It’s Not Actually a Process…and It’s Likely Not Insurable

In the summer of 2021, a small town in NH fell victim to three vendor impersonation scams in four weeks. THREE!

The postmortem on these events uncovered that the vendor onboarding and change process was not followed in any one of these instances. And the folks who created the process had no idea.

The thing happened in Albuquerque. In this instance, three different employees were involved in not following the process. I could link a dozen more articles here, but I think you get the point.

Takeaway #1 about these scams being impossible to spot is true. But when the process to actually spot them is in place and no one is doing it is problem as well. Failing to follow the process will not go over well with your insurance carrier when you file a claim.

“Underwriters want to see details. They want to see your actual procedure and how it is audited. The most important question in my mind is: do you attempt to verify changes to vendor information by a phone call to a number that’s known ahead of the change, and can you prove you did this?” – Christopher Arehart, Chubb

It’s scary stuff, yes. Especially for the humans standing guard over your vendor file. Most of them, even the ones not necessarily following the process, are just trying to be good soldiers.

They are trying to move quickly to keep your organization running smoothly. They are trying their very best to serve the team’s goals. If it’s this easy not to follow your process, or for staff to make an honest mistake, it’s time to start from the beginning.

It’s time to ask yourself and your team: “What are we trying to accomplish with our training, process, and tools?” And perhaps more importantly, ask, “Is this training working? How can I prove that it’s working?”