What is vendor fraud?
Vendor fraud occurs when a fraudster poses as a person or entity you know and trust (a vendor, an executive, etc.) and requests a change to banking information. If the fraudster can convince you to change payment information and you make the payment, any payments sent will go to the fraudster instead of where you intended. Since these payments are being made by authorized users from your organization, they look like normal payments to your bank. It is common that these fraudulent payments can be made for months before being discovered.
In most cases, the fraud begins when you receive an email from a vendor requesting that you change the vendor’s payment instructions – the bank name, routing/transit number, or account number. These types of attacks often appear immediately before 3-day weekends, as it is far more difficult to retrieve transferred money after a 72-hour window.
How can I protect against vendor fraud?
- Understand that these requests often come from valid emails. Successful phishing attacks provide the fraudsters with valid email logins and passwords that they use to send fraudulent emails. The email address itself may be valid, but be skeptical of any email that requests financial changes, employee information, or sensitive company information.
- Verify all requests. Create a policy to authenticate all requests (e-mail and postal service mail) that include changes to bank account information. Use the contact information you have on file to verify the request. Never use the contact information that comes with the request – it is fraudulent too.
- Don’t be afraid to ask. Sharing the email with other employees is often helpful in determining whether an email request is valid or not. Include IT members when you share – they often see a wider range of fraudulent emails than most employees and can be helpful in determining legitimacy.
- Educate your staff and business partners. Anyone at your company or your business partner companies can be a target. This includes executives and managers, your accounts payable staff, and any departments that communicate with your vendors.
- Make sure your organization uses proper fraud-fighting controls. Internal controls include using dual custody properly, assigning responsibilities that include daily account monitoring, and verifying unusual payment or account change requests.
What do I do if I have been a victim of fraud?
- Immediately contact your bank representative and tell them you suspect fraud.
- Escalate internally within your organization. You should immediately notify your manager, all members of your accounting and finance teams (including your CFO), and the person responsible for managing your IT security. Expediting this communication will reduce the risk of other financial attacks which may be occurring at the same time within your organization.
- Contact your vendor as soon as possible using contact information that was used prior to the incident. Any contact information used as part of the fraudulent email requests should be considered fraudulent as well.
- If money has already been transferred, immediately report the incident to the FBI at either https://www.ic3.gov/ or https://www.fbi.gov/contact-us