Social Engineering Fraud & Vendor Management: Friction vs. Risk

by Angela Sarno

VP Marketing

Social Engineering Fraud & Vendor Management: Friction vs. Risk

This article was initially published in March of 2022. We updated it in February 2024 because learning how to prevent social engineering attacks is still a widely sought-after topic.

Social engineering fraud, business email compromise (BEC) fraud and business-to-business payments fraud: three different names, same game.

All are a form of a man-in-the-middle attack, where a fraudster sends an email to an accounts payable person to request a change to the banking credentials in the vendor master to divert a valid vendor payment to a fraudulent bank account. This is the largest source of cybercrime from a monetary standpoint, with the FBI reporting that it cost $50 billion+ in global losses between October 2013 and December 2022 – and it only continues to increase.

To figure out how to prevent social engineering attacks, we brought together three industry experts in a panel discussion, “Social Engineering Fraud & Vendor Management: Friction vs. Risk.”

Joe Hussey, then vice chair at J.P. Morgan, currently senior vice president at Wells Fargo; Rob Unger, senior director for product management and strategic initiatives with Nacha and Thayer Stewart, CEO of PaymentWorks, dissected social engineering fraud and how it plays into the vendor management process and specifically what role the battle between friction and risk plays in finding a solution.

Social Engineering Fraud, A Primer

Top Takeaways on How to Prevent Social Engineering Fraud

#1. Education, Education, Education

#2. Strike a Balance Between Risk and Cost

#3. Put Your Vendors to the Test

How to Prevent Social Engineering Attacks With Automation

– Let vendors own data entry

– Get rid of risky email

– Authenticate Data

Get Ready For Vendor Management Appreciation Day 2024

Want Help Aligning Teams on How to Prevent Social Engineering Attacks?

Interested in Tips On How to Prevent Social Engineering Attacks?

Want Personalized Guidance on How to Prevent Social Engineering Attacks?

Social engineering fraud is a particularly insidious type of fraud. Why? Because when most people hear “fraud,” they often default to an organization’s technological weaknesses. For example, hackers might breach or attack data networks, steal information, and perpetrate fraud. And sure, that’s a threat, but it’s one that has concrete preventative measures.

On the other hand, social engineering fraud takes advantage of human weakness by tricking, fooling, or duping someone into doing something they’re not supposed to do.

Take, for example, the recent case of a finance worker who paid out $25 million after fraudsters using deepfake technology posed as the company’s Chief Financial Officer on a video call — along with several other “members of staff” (more deepfakes) — and asked for a transaction to be completed in secret.

As you can imagine, these types of things makes preventative measures a bit more complex.

Vendor onboarding: the perfect storm

Vendor onboarding is especially prone to social engineering fraud. In many cases, it’s the perfect environment in which to commit this type of fraud. Think about all the risk factors:

Decentralized organizations where multiple teams have their hand in vendor data but perhaps lack the communication and visibility to keep other departments in the loop.
A culture of “circumvent the documented process, cause I am in a hurry” where leadership is known to ask the vendor desk to break the process – or where the vendor desk team simply believes that’s a possibility someone internal would ask this.
A plethora of manual tasks – from entering vendor data to updating vendor data to verifying information – makes it easy for unauthorized changes (and payments) to occur.
Vendor risk that you can’t control: someone’s email gets hacked, and a bad actor asks you to change banking information

No matter how buttoned up you think your operation is, the risk is always there, lurking in the shadows. Listen to the close call from Matt McDonald, Finance Manager and Deputy Treasurer for the City of Vista:

It’s the perfect example of just how vulnerable most organizations are, whether they realize it or not. Even an all-star IT team with best-in-class controls around systems and email environments can only go so far.

If your vendor’s environment isn’t secure, you’re at risk.

So, where do you start in learning how to prevent social engineering attacks? We’ve got you covered!

#1. Education, Education, Education

Fraudsters are getting even more sophisticated (we’re talking next-level stuff like AI voice cloning to scam an organization out of $35 million), and they’re always going to be attacking and probing for weaknesses, which is why it is so important to stay educated.

However, even when employees are educated, best practices are not always followed. This can be the case with “out of band” verifications when it comes to an email request to change bank account information, which is not an easy thing to do if you’ve got hundreds or thousands of suppliers.

According to Rob, “We know from some of our surveys that not everybody verifies that out of band with a phone call. That solution doesn’t always scale.”

Joe utilizes multiple training tools to ensure his staff receives between 10 to 15 hours of fraud-related training each year. He said, “Education is a very difficult thing. It has to be done upfront and then it needs to be done at least annually. Without it, people will forget and will stray away from those standard protocols. Keeping it in front of employees is key.”

So, how can you keep employees engaged? Joe recommends sample testing; sending employees emails to see how they respond. “In this case, we kind of need that level of audit, and I hate to use that word because everyone cringes when you say audit, but that auditing of, ‘Show me your last 50 vendor changes. How did they occur? Show me the steps that were validated in them.’”

#2. Strike a Balance Between Risk and Cost

We know that even with automation, which is the only way to truly prevent fraud, humans will always play a role in the process. Gatekeepers and decision-makers will always play a part. But finding the right balance remains the toughest part of getting it right. Thayer elaborates on the heart of the issue in this clip:

The bottom line seems to be that even with the best internal defense in place, anytime you have an exchange of information, you have an opportunity for fraud. This is why Rob feels that while having policies, adding automation and defining risk tolerance does indeed add pressure to internal personnel who are following the controls and adds customer friction, it’s simply what has to be done.

#3. Put Your Vendors to the Test

When it comes to truly tackling the risk of fraud, Joe states: “Being nimble and being automated is the only way you do this.” So, what should you look for when partnering with a vendor to automate supplier onboarding?

Rob said that it depends on your risk tolerance, your internal policy and how far you want to go, but at minimum, a solution should do the basics in validating name, tax ID, address and managing compliance, and you should re-verify the solution at least annually. Joe takes it a step further and advises his clients to be really careful when selecting a vendor package that’s already attached to something else they bought or purchased. He elaborates in this clip:

This underscores why it is so important to choose a vendor who is committed to evolving to meet the ever-changing needs of organizations in today’s world. Because if there is one thing we’ve established, it is that fraudsters are never going to rest, so neither should your vendor onboarding partner. (BTW, PaymentWorks solves for the automation and goes a step further by assuming the risk for fraudulent payments.)

You can watch the full webinar here.

Let vendors own data entry

Letting vendors own data entry makes a ton of sense logistically. Who is better suited to enter the vendor’s information than…the vendor? Jenn Glassman puts it well:

When you consider all of the details that need to be collected – contact information, address, payment type, and more – it underscores all of the areas where things can go wrong. The old-school way of using a form that someone else fills out is a recipe for disaster.

Between typos, miscommunications, and other data entry errors, it leaves too much to chance. And believe me, when it comes to social engineering fraud, you don’t just want to cross your fingers and hope for the best.

Empowering vendors to own the input of their information also provides them with reassurance that the information is correct, building a foundation of trust.

Get rid of risky email

In the same vein, email is a risk proposition. If your vendor onboarding and change management process relies on email, you’re opening the door to fraud every time you hit send or open an email from your “vendor.”

Again, even legitimate information that you receive from vendors – like an address change request – equals another opportunity to mistype or misenter data.

Worse yet, an email-based vendor onboarding process makes you a prime target for bad actors who know how to take advantage. None of the scenarios are good.

Firstly, you could face the consequences of lackluster vendor security. All it takes is one vendor contact’s email getting hacked, and you’re receiving an email requesting a bank information update. Why wouldn’t you make the change? You’ve confirmed the vendor’s email address, so the logical next step is to fulfill the request. Except neither you nor the vendor realizes the vendor’s email has been compromised until after a payment for hundreds of thousands or millions of dollars is already out the door.

Secondly, you could get a really, really well-crafted email from a spoofed email address that looks legitimate but originates from a fraudster. You think you received an email from the vendor, ronmays@biz.com, but you really received an email from ronrnays@biz.com. Were you able to catch that? Or will you end up approving a request and/or making a change that costs your organization millions?

Authenticate Data

Even if your vendor onboarding process leans heavily on email, there are things you can do to create obstacles for would-be fraudsters.

Authentication is one of those obstacles. When you receive requests, authenticate that the email or phone call is actually coming from the vendor. Confirm email addresses and phone numbers. Require authenticating data.

Debra Richardson puts it succinctly when she talks about using this tactic to get rid of lazy fraudsters:

In an ideal world, this type of authentication happens automatically. With a vendor onboarding platform, for example, vendors would need to sign in and authenticate themselves before making any changes. It takes a whole lot of guesswork out of the equation and ensures that payments are going where they are meant to go.

If the thought of social engineering fraud has you down, we’ve got something to lift your spirits: Vendor Management Appreciation Day (VMAD) continues in 2024!

That’s right, it’s a year-long party aimed at honoring of one of the most critical, under-recognized roles across industries: vendor management.

VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.

We’ve released gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.

Learn more here, and grab some free vendor management goodies.

Explore our blogs below. They’re filled with action items you can implement right away.

How to Prevent Social Engineering: 3 Common Scams Fraudsters Use to Trick Your Employees

Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It

Top Three Takeaways: Social Engineering Fraud and Your Vendor Master – Managing the Risk

Vendor Verification: How NOT to Do it and What to Do Instead

Subscribe to our blog