With the pandemic-driven shift to remote work, many organizations moved more check payments to electronic formats, primarily ACH. That has necessitated vendors providing organizations with bank account information. Criminals, of course, go where the money is. And in the hasty shift to more electronic payments and, therefore, more vendors sharing bank account information, many organizations have not managed to include adequate protection of vendor banking information.
Despite being parasitic, fraudsters are entrepreneurial and quick to exploit new opportunities afforded by changes in payment practices. But, of course, ACH is not new, so plenty of bad guys were already prepared and waiting for more opportunities to exploit. But what exactly is the problem, and what can organizations do about it?
Organizations are not securely handling vendor bank account information. They rely too much on email communication and are not verifying sources or account numbers.
The most significant risk connected to electronic payment fraud is when an existing vendor changes its account information, which, on average, is every four years. Vendor bank account changes are a common occurrence across your vendor data. So why is that a problem? Because criminals may get into your email system or one of your vendors’ email systems, typically through phishing attacks, gaining access to that information.
And as we’ve covered elsewhere, cybercriminals are patient. Once in your system, they watch and gather information. Fraud perpetrators learn your patterns of communication and payments. Then they can intercept and alter or spoof vendor emails. By sending you an altered or spoofed email, they redirect you to send payment to an account they control instead of the vendor’s account.
Two New Controls
Most AP departments have internal controls on adding new vendors or changing data for existing vendors in their master files. The first step is to ensure your staff is following those controls consistently. But you can boost the traditional controls to manage the new vulnerabilities.
For most organizations, the usual controls around the vendor master file do not specifically address email communication of sensitive data. But today, email has become a tool in vendor payment fraud, so organizations must consider adding additional controls.
The first is to discourage vendor communications of sensitive information via regular email. Instead, provide vendors with a secure portal to submit data or insist on encrypted email. But be sure you understand email encryption and take all necessary steps to secure data transmitted that way.
TLS encrypts email in transit, but if your email account is compromised, TLS encryption will not help. Instead, you need to employ end-to-end encryption so that even on your company email server, a criminal cannot see the contents of the email. A secure portal avoids email vulnerability altogether, representing a better alternative.
The second “new” control is not new, just more important than ever. Organizations must verify bank account information changes, which involves two parts. The first part is to confirm the update with the vendor independently of the update instructions. The second is to verify the new bank account number itself. Contact the bank to verify the account or use a verification service specializing in bank account verifications and use them for every change.
Skipped controls are no controls. Omitting these steps leaves your organization at greater risk for vendor payment fraud. And that can be very expensive.
To find out how VendorInfo can help both with secure transmission of sensitive vendor information and verification of vendor bank accounts, contact us.