Cabarrus County: Immediate- and Long-Term Risk Mitigation After a $2.5M Scam
Immediate- and Long-Term Risk Mitigation With PaymentWorks After a $2.5M Scam
Read Our Case Study with Cabarrus County
Vendor Email Compromise. Business Email Compromise. Vendor Impersonation.
They’re all stepping stones to a social engineering scam designed to trick someone on your staff into changing vendor bank account details.
And they can all have significant, negative financial impacts.
Worried about how vendor email compromise might impact your business? Keep reading.
Table of Contents
The Dangers of Vendor Email Compromise
How Vendor Email Compromise Threatened Cabarrus
5 Ways to Avoid Vendor Email Compromise
Why Choose PaymentWorks to Combat Vendor Email Compromise
Get Ready for Vendor Management Appreciation Day 2024
Want Help Aligning Your Teams on Vendor Email Compromise?
Interested in Regular Tips on Vendor Email Compromise?
Want Personalized Guidance on Vendor Email Compromise?
Read the Case Study
Cabarrus County learned this lesson the hard way when they fell victim to a $2.5M scam.
Although nearly 71% of organizations reported being targeted for these types of scams in 2021, it’s very rare that a victim will share the details so that others may learn.
This case study is a rare glimpse into the operational and emotional toll this event had on the employees of the county.
In this case study, key members of the affected team walk us through:
- The event and the aftermath – exactly how they were tricked and what resulted
- What immediate steps they took to mitigate further risk and the new problems these controls created
- How finding a partner and refining their process eliminated their risk of further financial losses (and how they now all sleep better at night!)
Want to find out what Cabarrus County did? Click here or the image below to read it.
The Dangers of Vendor Email Compromise
It’s easy to look at the phrase “vendor email compromise” (or business email compromise or CEO fraud) and think, “That sounds far-fetched; it will never happen to me.”
I can assure you that both of those statements are false.
Let’s start with “it’s far-fetched.” It’s really not. Vendor email compromise is a fraudster disguising themselves as your vendor via that vendor’s email and betting that s/he can outwit you or someone on your team during a very complex process that often has process gaps and lacks fail-safes.
No cyber-defense tools exist to alert your staff that this is a real email with bad info inside of it. So, there’s a very good chance that the bad guys can dupe you. And it could cost your organization millions of dollars.
Here’s the thing: it’s not a reflection on you and your abilities. It’s actually a signal that the organization lacks documented processes – or has a culture that permits exceptions to those processes.
And honestly, even organizations that don’t have those issues can still fall prey. Just ask Cabarrus County Deputy County Manager, Rodney Harris, about how their team was doing everything by the book when disaster struck:
Then, there’s the idea that “it will never happen to me.” The truth? It can happen to anybody, even the government, as you’ll see when you read the case study.
And everyone is a potential target.
How Vendor Email Compromise Threatened Cabarrus
A seven-figure problem
Remember when we said vendor email compromise isn’t as far-fetched as you think? Cabarrus County School System knows this firsthand. In 2018, they received an email from what seemed to be a construction vendor. The email was a simple request to update the banking information on record.
I bet you get requests like that all the time, yes?
So Cabarrus County did exactly what you would probably do in that situation: it went through the process for that type of request. It was forwarded to the finance department, which then submitted a request for the “vendor” to complete an EFT form. To be clear, that also meant including banking documentation on bank letterhead.
All expected actions. All seemingly legitimate.
After the paperwork was completed and approved, the change was made within the financial system where vendor records were stored. Then, a few days later, a payment of $2.5 million was made to that bank account.
All good, right?
Wrong.
This was not business as usual. This was fraud at its finest to the tune of $2.5 million. Put simply, it was the greatest dupe ever.
Cascading problems
What’s more, the story doesn’t stop there. The real construction vendor reached out not long after to inquire about the status of its payments. Ouch.
Are your hackles raised? Can you empathize with the feelings of the person who received that inquiry? Eyes wide, palms sweating. The dark clouds start to set in alongside the realization that something is amiss. Someone made a mistake. The original vendor request was not made by the real vendor.
Then, the real fun began. The county contacted law enforcement and put a stop to most EFT payments. Vendor files were reviewed, and banking details were re-validated. It was an all-hands-on-deck situation where solving this issue became a priority, and business as usual (and all the daily tasks that the business relies on) became secondary.
The good news? The county recovered some of the money – $780,000, to be exact. But that still left $1.8 million still unaccounted for. That money was never recovered. Instead, the county used an emergency fund to shore up resources and cover the difference.
And that is how a very simple email can cause a seven-figure problem in a matter of minutes.
5 Ways to Avoid Vendor Email Compromise
Remember, vendor email compromise can happen to anyone, and the results can be catastrophic. If you want to avoid it happening to you, consider using some of the tips below:
Disrupt the current culture
If your company culture yields to leadership’s every request – even when it breaks protocol – it’s time for a change. You’re at serious risk.
Write it down
The vendor desk should document processes and workflows for vendor onboarding (not sure how? Use this template.). This helps your team run a tight ship while also making the case that you have a protocol in place to guard against fraud (insurance companies love this, FYI). It’s also a great jumping-off point for important conversations about procedures and change management.
Log exceptions
Oftentimes, the biggest risks are a result of company culture. For example, if you’re part of an organization where people expect to be asked to break the rules, you’re at risk. To manage this risk, document each case where you’re asked to make an exception (again, we have a handy template for that here.). This can help your team become more strategic – and make the case to leadership about why your vendor management processes and strategy need to be improved.
Tighten up compliance
If you couldn’t tell, we’re big fans of writing things down here. Compliance is no different. Map out a compliance framework (look at that, another template for you here) for your vendor onboarding processes that you can follow and refine over time.
Use an automated platform
Cabarrus County decided that the best path forward was an automated one. Rather than mitigating the risk of falling for another vendor email compromise fraud, they wanted to eliminate the risk. By leveraging PaymentWorks, each vendor is thoroughly vetted through a proprietary onboarding system. Once PaymentWorks says it’s OK to pay, any ACH risk associated with the vendor’s bank account becomes a PaymentWorks problem. And Cabarrus employees sleep better as a result.
Check out the story of Cabarrus’ move to 100% ACH payments below:
Why Choose PaymentWorks to Combat Vendor Email Compromise
PaymentWorks is the foundation of vendor master data and helps organizations of all kinds automate vendor onboarding. The PaymentWorks platform provides customers with the data for secure, compliant, and optimized business payments.
Featuring the industry’s only payments security warranty for fraudulent payments (yes, we take the risk off of your plate!) and a network of tier one partners, PaymentWorks enables customers in healthcare, higher education, K-12, state and local government, enterprise and more to capitalize on the opportunity to digitize the payments process while reducing risk, controlling costs and earning revenue.
There are no tools, and no training, to alert your staff when your vendor’s email has been compromised. The only solution to this risk is to offload it to PaymentWorks.
To learn more about how we do it and the partners we work with, visit our website, check out our news, or listen to our podcast, “Risky Business”.
Get Ready for Vendor Management Appreciation Day 2024
December 12th may be behind us, but the party’s not over yet! We’ll be celebrating Vendor Management Appreciation Day all year long.
Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.
Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2024 celebration, and we want you to be a part of it!
VMAD is a unique holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We’ve been releasing gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
Learn more here, and grab some free vendor management goodies.
Want Help Aligning Your Teams on Vendor Email Compromise?
Explore our blogs below. They’re filled with action items you can implement right away.
What You Need to Know About CEO Fraud Phishing and the Vendor Desk
How to Prevent Social Engineering: 3 Common Scams Fraudsters Use to Trick Your Employees
The Missing Link When Building a Vendor Risk Management Framework
B2B Payments Fraud in Times of Chaos: 2023 Edition
Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It
Vendor Verification: How NOT to Do it and What to Do Instead
Interested in Regular Tips on Vendor Email Compromise?
