Vendor Fraud

Chapter 1

Vendor Fraud Schemes: Fraud in Action

1. Vendor impersonation fraud

Vendor impersonation fraud happens when fraudsters pose as new or existing vendors, tricking organizations into redirecting payments to fraudulent accounts. It may look like a fake invoice, a change request to banking details, or a request for urgent payments. No matter how it’s dressed up, the results are the same. 

Moreover, it can happen to everyone! Sure, smaller organizations may be more at risk because they don’t have the budget for fancy security measures. However, security measures don’t stop social engineering, so they only go so far. Instead, it’s company culture that plays a significant role in an organization’s vulnerability to these types of scams. Think for a moment about whether or not your team is used to a corporate culture that continually makes exceptions to break documented processes. If yes, this can mean the difference between good outcomes and bad ones. 

The only way to truly stop vendor impersonation fraud is through a solid corporate culture that documents, then sticks to, their vendor onboarding and change management processes.

And yes,  it happens to the big guys, too. Just ask Facebook and Google, which were swindled out of $100 million dollars not too long ago thanks to some really, really good fake invoices. 

Why is vendor impersonation fraud dangerous?

Vendor impersonation fraud is dangerous in a few ways, including: 

Financial losses: The fastest, most hard-hitting impact of vendor impersonation fraud is financial. Your organization can lose substantial sums of money to fraudulent transactions before you even realize what occurred. Your vendors are out as well, possibly with dire consequences for their financial solvency.

Reputational damage: While this one sounds qualitative, it can have quantifiable impacts. Put simply, falling victim to fraud makes you look bad. It affects your relationships with suppliers, investors, and customers. It also raises questions about your organization’s ability to safeguard against risks and manage operations securely.

Operational disruption: Dealing with the aftermath of fraud is expensive and time-consuming. It will likely disrupt business operations and require significant resources to investigate and fix the process that led to the success of the scam..

Why you might be at risk for vendor impersonation fraud

Vendor impersonation fraud is an equal opportunity offender; everyone’s at risk. That said, you might be inadvertently doing things (or not doing things) that make you an enticing target. See if you fit the bill on any of the following: 

1. Lack of internal controls: If you don’t have internal controls (or don’t have them documented), you’re at risk. You should have documented controls for everything from verifying changes in payment details to authorizing transactions.
2. Inadequate employee training: Employees need to be on the same page when it comes to recognizing phishing attempts or suspicious changes in vendor information. Without the right training, they’re more likely to fall prey to vendor impersonation scams. More importantly, your employees must know that no one at your organization will ever ask them to circumvent your documented vendor onboarding process.
3. Dependence on email communications: Overreliance on email for financial transactions and communications is risky. This is especially true if email accounts are not secured with multi-factor authentication.

2. Business email compromise (BEC) fraud

​​Business email compromise (BEC) fraud, also known as email account compromise (EAC), involves cyber criminals using email fraud to extract money or confidential information from businesses. Typically, this sophisticated scam involves hijacking official email accounts. Then, fraudsters use those accounts to issue or alter invoice requests, directing payments to their own accounts.

The FBI’s Internet Crime Complaint Center reports that BEC has cost more than $50 billion globally in losses between 2013 and 2022. In fact, it’s so bad that it’s now regularly referred to as The $50 billion scam.

For overworked and understaffed vendor desks, identifying when a vendor email account has been compromised is like finding a needle in a haystack. And let’s not forget, these folks are not security experts, as Jens Brown, TITLE, Huron, eloquently points out below: 

Why is business email compromise (BEC) dangerous?

Business email compromise fraud hurts your organization in several ways, and each can have long-lasting consequences: 

Financial losses: BEC fraud can cost your organization millions. The amounts requested often mimic real invoices or payment requests, so unauthorized transfers might be substantial before the fraud is detected.

Data breach: In some cases, BEC scammers try to get sensitive information. If they’re successful, this can lead to data breaches that can have severe legal and reputational consequences.

Loss of trust: Successful BEC attacks can damage an organization’s reputation, undermining trust among partners, suppliers, and customers.

Operational disruption: Dealing with the aftermath of a BEC incident is time-intensive; it distracts from normal business activities and eats away at resources. All this negatively impacts productivity and business continuity.

Why you might be at risk for business email compromise fraud

Remember, business email compromise fraud is a popular type of fraud for a reason. Without the right security controls in place, you might end up in an ugly situation. Here are some ways to tell if you make a good target: 

Inadequate security protocols: If you aren’t already using two-factor authentication (2FA) and advanced email filtering, start there. Without those critical safeguards, it’s easier for fraudsters to carry out BEC scams.

Insufficient employee training: If your employees aren’t up-to-speed in cybersecurity best practices, they’re going to miss key indicators of phishing attempts or suspicious email activities. In other words, they’re more likely to fall victim to BEC schemes.

High turnover or large scale: Organizations with high employee turnover or large workforce may struggle to maintain consistent training and awareness, increasing vulnerability.

Dependence on email and phone communications: If you’re using email and phone calls to collect and verify information, you have security gaps in your process. These gaps in verification can expose you to BEC threats.

3. CEO fraud

CEO fraud is a subset of BEC. With CEO fraud, attackers impersonate high-level executives (like your CEO) to authorize fraudulent wire transfers or divulge sensitive information. How? Fraudsters might send a request for a wire transfer or ask for sensitive information to the people typically responsible for handling such requests. Since these employees believe they are being asked by a higher-up, it’s easy to take the requested action without verifying the authenticity of the request. Imagine getting an “urgent” request from your boss. How would you reply? It’s a tough position to be in.

This type of fraud is getting downright scary. 

For example, this finance worker accidenally sent out a $25 million dollar payment to fraudsters because he thought he was asked to on a video call with who he thought was his chief financial officer. It turns out, the CFO and everyone else on the call (some of whom this worker “recognized”) were deepfake replicas of the real people. Yikes. 

Why is CEO fraud dangerous?

CEO fraud is especially nefarious because it impacts everyone in the organization. In addition to financial consequences, it can really sour the culture: 

Significant financial losses: CEO fraud can lead to substantial financial losses. Just think about the last high dollar amount transaction that was authorized by senior-level management.

Reputational damage: Just like other fraud types, CEO fraud can make your organization look bad. It can lead stakeholders to question the integrity of internal controls and the competence of the management.

Operational disruption: Recovering from CEO fraud is just as expensive, time-consuming, and resource-draining as other types of fraud, if not more so. It might include legal battles and forensic investigations, which can divert resources from normal business operations.

Loss of employee morale: Additionally, these kinds of fraud incidents can decrease employee morale and trust within the company. This is especially true if employees are reprimanded or penalized for their involvement in the fraud. It’s why so many vendor managers have a hard time sleeping at night. 

Why you might be at risk for CEO fraud

CEO fraud is just as prevalent as BEC fraud, but organizations with a culture of bucking the process (especially for higher-ups) make a particularly delicious target. Other things can put you at risk, too: 

Lack of verification processes: Organizations without strong verification processes for confirming the legitimacy of unusual financial requests are more vulnerable to CEO fraud.

Over-reliance on email and phone communication: Organizations that lean heavily on email and phone communication – without supplementary secure communication channels – are at greater risk.

Inadequate training: Employees who are not trained to recognize phishing attempts or verify the authenticity of emails, especially those appearing to be from high-level executives, are more likely to be deceived.

Culture of exceptions: A workplace culture that emphasizes urgency over accuracy can pressure employees into acting quickly on fraudulent requests without properly verifying the request is real.

Chapter 2

Vendor Fraud Examples Using AI

Artificial Intelligence (AI) is revolutionizing the game for both the good guys and the bad guys. On one hand, AI brings a host of efficiencies and advancements. On the other hand, it also introduces new vulnerabilities, particularly in the form of sophisticated fraud techniques such as deepfakes, voice cloning, and advanced social engineering scams. 

These emerging threats present significant challenges for vendor managers, especially those relying on manual processes or outdated technologies. And the outlook is even moree dire for organizations that have a culture problem. 

Let’s look at some of the ways AI has introduced new methods for fraudsters to deceive organizations:

#1. Deepfakes

AI-generated deepfakes create realistic video or audio recordings of individuals, which can be used to request unauthorized transactions. When it comes to vendor fraud (and as we saw in the example above), AI is often used to impersonate company executives or vendors. These AI-generated deepfakes then ask an unknowing person to authorize fraudulent transactions or disclose confidential data. 

For example, in 2019, a UK-based energy firm’s CEO was mimicked using AI voice technology to facilitate a fraudulent transfer of €220,000.

#2. Voice cloning

Voice cloning works similarly to deepfakes but focuses on voice. Fraudsters can clone a person’s voice with just a few audio samples (as few as three seconds’ worth!). Then, they use this to attempt to authorize fraudulent payments over the phone.

It poses such a threat that the United States Senate Committee on Banking, Housing, and Urban Affairs has written an official letter to the Consumer Financial Protection Bureau (CFPB) to express deep concerns regarding the “potential exploitation in financial scams.”

#3. More sophisticated social engineering

Emerging video and audio deepfakes set the stage for more sophisticated social engineering scams to come. AI also has the ability to analyze personal data to craft highly personalized phishing emails. As a result, this significantly increases the chances of deceiving recipients. 

Worse yet, AI makes it easier (and faster) for cybercriminals to perpetrate fraud. For example, one report notes that cybercriminals can use AI to generate a phish in 5 minutes, saving bad actors nearly two days’ worth of time. 

Potential Risks for Vendor Managers

Vendor managers who rely on manual verification processes or outdated tools are particularly at risk of being victims of these AI-driven fraud techniques. Relying on manual collection and verification of documents, emails, or voice communications is not the best way to detect AI-generated scams.

Reliance on manual processes becomes even more impractical when you consider how rapidly fraudsters are able to deploy new scams. It’s easy to see how an organization can quickly become overwhelmed by deciphering between legitimate and fraudulent requests. 

Linda Miller highlights how tough it is to keep up with this new generation of fraud actors:  

Chapter 3

Vendor Fraud Prevention Best Practices

Vendor fraud is a real threat to organizations of all shapes and sizes. It drains vital resources and undermines trust within organizational ecosystems. And the problem only gets worse as companies expand their networks of suppliers and contractors. 

The opportunities for fraud constantly expand, making it critical to implement the right measures to safeguard against emerging threats. We have some ideas to start.

Vendor fraud prevention for vendor impersonation fraud

Verify changes in payment details: Always verify through multiple channels if a vendor requests a change in payment information, especially if done via email.

Educate employees: Regular training sessions can help employees recognize phishing scams and understand the protocols for handling vendor communications securely.

Implement robust payment protocols: Establish strict internal controls for payment authorizations, including dual approval processes for transactions above a certain threshold.

Secure communication channels: Use secure, encrypted communication methods for transmitting sensitive information. Consider establishing secure portals for vendors to upload invoices and banking details.

Regularly audit vendor relationships: Conduct regular audits of vendor files and payment histories to detect any irregularities that could indicate fraud.

Vendor fraud prevention for BEC Fraud

Email authentication protocols: Use technologies like DMARC, SPF, and DKIM to help verify the authenticity of emails and prevent email spoofing.

Verification procedures: Establish (and document!) strict verification procedures for financial transactions. Be sure everyone knows their roles and responsibilities.

Cybersecurity training: Conduct regular training sessions for all employees on cybersecurity best practices, including recognizing and responding to phishing scams and suspicious emails.

Advanced security solutions: Deploy advanced security solutions that use artificial intelligence and machine learning to detect anomalies in email patterns and behaviors.

Vendor fraud prevention for CEO Fraud

Use dual-approval processes: Consider requiring dual approval from two different executives for all financial transactions above a certain threshold to help ensure that the requests are legitimate.

Regular training and awareness programs: Conduct regular training sessions for employees on cybersecurity threats, specifically focusing on CEO fraud and phishing scams, to raise awareness and teach verification techniques.

Advanced email security measures: Use advanced email security technologies that can detect spoofing, flag external emails, and provide additional scrutiny for emails mimicking senior executives.

Encourage a verification culture: Foster a corporate culture where employees feel empowered to question and verify unusual requests, even if they appear to come from senior executives. Try documenting requests to make exceptions to shed light on the problem. 

Fighting AI-driven vendor fraud

To be clear, the best way to fight AI-driven vendor fraud is the same way to fight any type of fraud: the strategic use of advanced technologies and automation. 

These tools can significantly boost your ability to detect fraudulent activities by significantly reducing or eliminating manual processes that are prone to human error. Automation also empowers organizations with scale and speed that manual processes cannot match.

If your organization isn’t yet at the point of automation, consider how these best practices can help you keep AI-powered fraudsters at bay: 

Firstly, do your due diligence! You should have a documented process for onboarding new clients and processing change requests for existing ones. 

Next, take heed when you receive “urgent” requests. Scam artists often use the psychological power of urgency to get you to do things you aren’t supposed to. Take precautions with all requests (e.g., ask questions and vet requests), but pay special attention to requests that ask for something to be done “immediately.”

Don’t forget to update your internal training and education processes. Regularly update training programs to include the latest in fraud detection techniques and familiarize vendor management teams with AI-driven fraud scenarios. This prepares teams to better recognize and respond to threats.

Finally – and this is a big one – fix your culture. If it’s not uncommon for your vendor desk to field requests that step outside of hte documented process, you’re at risk. One way to change this type of culture is to document the exceptions. This gives you a paper trail of off the cuff requests – and the most common offenders. 

Pro tip

In sum, the best way to safeguard your organization is to automate onboarding and change requests. Automated platforms empower vendors to enter their own information, ensuring accuracy. Then, the platform vets and verifies that information before any payments get processed. Better yet, vetting and verification happen continuously, especially when new requests emerge. 

Automating to prevent vendor fraud

Automation provides a powerful defense mechanism against the multifaceted threat of vendor fraud. By automating vendor onboarding and management processes, organizations can significantly reduce human error, which is commonly exploited by fraudsters.

Automation also eases the burden on the vendor desk via: 

Enhanced verification processes: Automated systems can rigorously verify vendor details against multiple databases, ensuring their authenticity before any transaction.

Continuous monitoring: Automation allows for the continuous monitoring of transactions and vendor behaviors. For example, sanctions and debarred lists are often a pain point for the vendor desk. Scanning vendors against these lists should be continuous, which is a tall ask for manual vendor teams. Automation can flag anomalies or changes automatically, triggering new workflows and approval requests saving time and money. 

Secure communication channels: Automated platforms centralize and secure vendor communications, minimizing the risk of email compromise and impersonation scams.

As vendor fraud becomes increasingly sophisticated, vendor management automation can rise to the challenges of vendor fraud.