Free Guide: Business Payments Fraud- Risk Assessment, Fraud Vectors and Prevention
A free guide from PaymentWorks detailing social engineering scams, why they succeed, and what you can do about it today.
Managing the identity information for vendor onboarding and maintenance is extremely challenging (and costly!).
Most large organizations receive, update and manage these myriad “Identity Elements” for thousands of new and existing payees each year, a process rife with opportunities for a fraudster to exploit.
This risk is real. Fraudsters have evolved way beyond the “Nigerian Prince” scandal of years past. They are focused. They are detailed. And they are very, very patient, often lying in wait for months before they make a play to steal your funds.
How Do They Strike?
SCAM I: The Spoof
A fraudster drives by your location and sees the ACME Plumbing van parked in front. Now aware that your company is doing business with ACME Plumbing the fraudster does a quick search of the company’s website and LinkedIn to find employee names (1)
Next, (2) the fraudster sends an email to your AP department from marty.jones@acme-plumbing.com requesting a change on the previously supplied banking information. In this email the fraudster even comments on what the weather was like the day they were on site for the work, giving the email a level vel of authenticity and real-ness.
Your AP staff check- yes they have been in correspondence with Marty Jones before, they know he works at ACME Plumbing, so they make the change. The next invoice due gets paid to the fraudster’s account. Your AP staff likely only become aware when the REAL Marty Jones, at marty.jones@acmeplumbing.com emails to ask about payment. That single hyphen (3) in the fraudster’s email was the giveaway that you were not dealing with the real Marty Jones!
SCAM II: Vendor Email Compromise
While the spoof fraudsters took the time to get some details right, in the end they could have easily been spotted with some rudimentary checks put in place. With a vendor email compromise, fraudsters are quite a bit more sophisticated.
It begins by actually infiltrating your vendor’s email (1), usually by way of malware- getting an employee at Acme Plumbing to inadvertently click on a link that grants the fraudster the ability to access and control the email accounts of certain (or all!) employees at Acme.
These types of fraudsters are usually quite patient. They take their time and read through emails, particularly focused on customer communications and billing inquiries. When they have gathered enough information, and have the timing to know when a big invoice is due to be paid, they strike, almost always adding an additional touch of urgency. (2)
SCAM III: The Business Email Compromise
There are plenty of accounts payable staff with training in how to spot fraudulent attempts, and with processes in place to verify banking changes, but when relying on humans as a defense, it only takes one moment of human-ness to cost your company dearly.
One of the most effective means of stealing funds is to have the direction come from within one’s own company.
In these cases, much like with vendor email compromise, a fraudster gains access to a company’s email system by getting an unwitting employee to click on a link. Once they have access, they watch and wait. When they see a big vendor payment coming due, they strike, as always, adding specific and significant real details to sell the fraud. (1)
Everyone at the firm likely got an email from the CEO letting them know she would be out for the holiday weekend, and that she could only be reached by email. Everyone also likely knows about her house in the mountains. What we have now is an AP staff who might know that to do this is breaking protocol on the vendor set up and account verification process, but the CEO is asking, and making it not only real, but also really urgent to comply.
BEC scams require more time and effort for the criminal, but they’re often more personal and look more convincing to the victim— and as a result, they can yield more profit for the scammer.
— FBI Internet Crime Complaint center
SCAM IV: The “Deep Fake” Phone Call
Artificial Intelligence (AI) has arrived as a tool recently starting to gain traction with criminals. In 2019, we all learned about the first big heist using AI to mimic the voice of a company’s CEO on a phone call. The fraudster successfully mimicked the real CEO’s voice in a call to an employee, and was able to direct the employee to immediately transfer funds to a new supplier. Very few employees would question such a call, leaving a huge potential fraud vector for criminals to exploit. If you are currently without the proper controls in place for an employee to rely on when he or she gets an unexpected call with directions like this, your funds are in danger of being stolen.
Deep Fake: synthetic media in which a person in an existing image, audio recording or video is replaced with someone else’s voice or likeness
SCAM V: The Fake Invoice
Perhaps the oldest trick in the book, the fake invoice still is proving to be surprisingly effective at organizations with lax controls for vendor onboarding. Typically a fraudster will send a fake invoice for a fake company having done fake work, and the invoice gets paid. It’s that simple- at least at an organization where invoices are paid out prior to a vendor’s credentials being vetted and a PO being issued, or where existing processes regarding onboarding are simply not followed. In 2019, Google and Facebook lost a combined $100M to the same fraudster using this method. They each paid out multiple invoices over a period of months to the same fake company. No one is immune!
What You Can Do About It
1.
Vendor Invitations and Approvals
Start at the foundation of your vendor onboarding process: inventory who at your organization currently can initiate business with a new vendor, and document (or revisit the documentation regarding) controls in place for adding new vendors.
Questions to answer:
- Do people at your company have free rein to determine who they want to do business with?
- Do you have controls in place to limit the number of vendors you do business with in a particular vertical, for example: how many different office supply vendors do you use?
- Do you have controls in place regarding inviting or approving new vendors?
- Can business be initiated prior to an approval and onboarding of the vendor?
- Is your process followed?
Social Engineering: the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes
2.
Re-Examine Your Existing Controls
You likely already have controls in place that prevent a single person from adding and approving new vendor information and invoices. We challenge you to re-examine these controls to determine fraud vectors that could be exploited by bad actors, both inside and outside your company walls. This examination should be done with regularity as new fraud vectors can be discovered and exploited at any time.
Questions to answer:
- Who specifically, or which department, owns the vendor onboarding process?
- Are those owners responsible for gathering the required vendor identity credentials such as W9, Tax IDs, insurance documents, or does that fall to departments?
- Are those responsible trained to spot obvious fraud attempts, fakes and forgeries?
- Are those responsible trained in detecting social engineering attempts?
- Do you have controls in place regarding who has access to vendor identity details?
- Do you have controls in place regarding who has access to changing vendor identity details?
- Do you have controls in place for the minimal acceptable standard for changing existing vendor identity elements?
- Are you using 3rd party partners to verify the authenticity of the submitted credentials?
Fraud Vector: a path or a means by which a fraudster is able to exploit a system or process vulnerabilities, including human ones, in an effort to divert funds, aka: an open door to steal your money.
3.
Have an Audit Trail
Too often after a payments fraud, or even an attempted payments fraud, companies are often stuck trying to piece together what exactly happened: who approved this vendor, when did the change come in, how was it communicated?
Questions to answer:
- Can you clearly chart the vendor onboarding process, including who invited and who approved the new vendor?
- If approvals are needed from myriad departments (conflict of interest from HR, sanctions alerts from compliance, insurance documentation from risk), are the approvals time stamped, collected and stored in a centralized location?
- Are you collecting and storing the required vendor identity documentation with expiration date notifications in place?
4.
Have an Audit Trail
Examine your process for when a vendor submits their tax id, remit address and banking details, and, perhaps more importantly, when an existing vendor updates these identity elements. Changes to banking details is the number one fraud vector entry point for payments fraud attempts. This is a critical item to verify.
Of all of the ways you can shore up for increased payments fraud protection, this is likely the most critical area to invest in 3rd party partnerships.
Questions to answer:
- Are you verifying tax ids?
- Do you require verifiable documentation of a vendor’s remit address?
- Do you confirm bank account ownership and validity before making a payment?
Of note, many platforms out there will confirm that a bank account exists, but they do not necessarily confirm the ownership of that bank account. Make sure you understand what you are signing up for in a partner.
5.
Insure Against Losses
Finally, despite all of your best efforts, you should still be prepared in the event your organization does fall victim to business payments fraud. Even the best laid plans are subject to human error, unforeseen circumstances and unseen vulnerabilities.
Questions to answer:
- Does your risk or cybersecurity or crime insurance policy cover losses due to email compromise?
- Does your risk or cybersecurity or crime insurance policy cover losses due to human error?
- Do you have a reserve fund set aside in case of a payments fraud that will cover anticipated losses so you do not have to cut critical budget items elsewhere?
- You can download a pdf of the these five focus areas and the associated questions here:
