A Good Impersonator!
Who’s your favorite impressionist? Kate McKinnon? Angela Hoover? Jim Meskimen? Impressionists, also known as impersonators or mimics, make us laugh with their uncanny imitation of famous politicians and celebrities. Dana Carvey’s long-ago take on GHW Bush was classic (“start with a little Mr. Rogers and add John Wayne”), and his Jimmy Stewart was brilliant!
Some impersonators are not funny, however. They are criminals that impersonate vendors. As IT departments have hardened their perimeters and companies are increasingly alert to internal business email compromise (BEC), sophisticated threat actors have shifted tactics. According to Abnormal Security, a cybersecurity company, by May 2022, 52 percent of all BEC attacks are now external, surpassing internal impersonations.
Vendor Email Compromise
Internal impersonations are those emails that appear to be from the company CFO or CEO urgently requesting accounts payable to pay a vendor. Those types of “social engineering” attacks, which play on human emotions, are common. But just as likely now, cybercriminals will approach a company externally in the guise of a legitimate vendor.
This “financial supply chain compromise” is a subset of BEC. Also called vendor email compromise or VEC, it is often more sophisticated. Criminals work diligently and patiently, first to breach a vendor, then to gather information on the vendor’s customer relationships, communication and supply cycles.
They do this unnoticed by the vendor, who is not the target but the cover. Eventually, cybercriminals will launch communications to customers in the guise of the vendor. It is extremely tough for a company to detect such attacks because they come from legitimate but compromised vendor accounts. And the emails follow expected vendor patterns of communication and timing.
The aim, of course, is to get accounts payable to send money their way. So, for example, they may send an urgent invoice with payment instructions. Or they might request a change to their bank account information, biding their time to the next payment.
How to Beat the Impersonators
Never has it been more critical to have and follow internal controls and good security practices regarding vendor information and communications. It is too easy for the imposter to impersonate a vendor via email.
It’s easier than a couple of generations ago when the infamous Frank Abagnale used model airplane decals to create false credentials and checks. In the digital age, making an email look exactly like one from Microsoft, or any of your vendors, takes just minutes—just some cut-and-paste and a bit of formatting.
Regarding business email, the new motto must be: “Distrust and verify.” It’s essential to develop guarded email habits. Look carefully at the sender of an email. Do you know the sender? Is the address legitimate, and if you hover your cursor over the address, is it the same as it appears?
Beware misspellings and grammar mistakes, though be aware that some cybercriminals have good writing skills. Hover over any link to examine the embedded URL, and do not click email links. Beware attachments. Never click “verify your account” or “login” links in an email. Forward any suspicious emails to your IT security.
Many companies are implementing automated help. For example, many systems now flag all emails that originate outside the organization. Of course, many of those are legitimate, but it reminds users to be on guard.
The One Thing AP Must Do
Cautious email practices are essential. But specifically, concerning vendor email compromise, accounts payable can avoid falling victim. The vital controls here are around vendor bank account verification. First, verify all new vendor bank accounts: account ownership, routing and account numbers. A bank account verification solution can make this easy.
Then never change the vendor’s banking information without independently verifying the change request. For example, when a vendor sends an email with new account information for electronic payments, contact the vendor independently from the email request. In other words, go to the vendor file to find the appropriate contact of record and call them directly or again, use a bank account verification solution to confirm.
By following that safeguard consistently, accounts payable can catch a fraudulent change request. Skipping that control risks your organization paying the criminal instead of your vendor. Don’t reward a “good” impersonator. Instead, stay skeptical, and follow your rules. They’re best practices for a reason.
And to find out how VendorInfo can help you with vendor bank account verification, contact us.