Imagine finding out that one of your trusted employees concocted a vendor fraud scheme over the course of ten years, editing real vendor invoices to receive the payments into their own account. That’s exactly what happened to Miami University, which ended up losing over $2.3 million to the fraudster. Not only a significant financial threat, vendor fraud can also cause reputational damage and customer mistrust for years. Indeed, since the scam may allow perpetrators to access confidential information.
Phishing emails involve the impersonation of a genuine third party, in order to gain access to sensitive information or a payout. There are different ‘levels’ of phishing, depending on how organized and experienced the fraudsters are.
For example, spear phishing involves intense research to personalize the communications. This includes knowing the name of the payment maker and leveraging the standard process at the company. Spear phishing fraudsters might also spoof the real vendor email address to add further legitimacy to their ruse. Busy procurement employees are unlikely to spot the difference.
Similarly, pharming happens when cyber attackers impersonate vendors and include links to malicious websites (filled with dodgy links). This type of vendor fraud scheme might ask for employee login information, for example, enabling cyber attackers to steal these details and use them to access confidential company data.
Either way, phishing relies on social engineering tactics to be successful. One such attack happened to Save the Children in 2017. The con artists created an impersonation under the guise of billing for solar panels in Pakistan – which was an already ongoing contract for the charity.
Since the perpetrators had such data, and there were no other controls in place, their attack seemed credible. Save the Children lost over $1 million to this phishing attack through fake vendor invoices.
Internal (employee) fraud
Internal fraud, also known as employee fraud, is another example of vendor fraud.
During this scheme, the employee is able to submit and hide invoices within the system. They can siphon off payments to a fake company or inflate the price of goods or services. The employee committing this type of fraud creates a shell company and might submit invoices to themself or get another unsuspecting employee involved.
Without any internal controls, or measures to authenticate invoices and their details, this type of process can easily be successful. That’s due to the fact that the internal employee knows exactly how invoices are ‘normally’ dealt with.
And with hundreds or thousands of suppliers, it’s unlikely that accounts payable staff will have their suspicions raised if these fraudulent invoices were submitted in the same way – it all looks legitimate.
The fraud triangle is a concept that explains the reasons why criminals commit fraud, due to three red flag factors:
- Motivation: the worker feels vindicated by their company – maybe they haven’t had a pay rise in five years, or there are external pressures such as gambling debts
- Opportunity: the employee has the authorization to make payments to third parties
- Rationalization: the creation of a fake company makes it easier to hide the payments and explain them away
One example of employee fraud through false vendor creation occurred at an anonymous British business.
Here, the financial controller was motivated by her partner becoming redundant, creating money pressures. She noticed that one supplier had recently shut down, and decided to edit a previous invoice and change the bank details to her own shell company.
The company had set up a co-sign mechanism, ensuring that the CFO had to co-authorize payments to vendors. However, as a busy individual with high levels of trust in their colleague, the CFO only checked payment details for new suppliers, not existing ones. Moreover, the financial controller kept the price of the “services” below the existing authorization limit, meaning that the CFO never had to be notified of these payments.
It meant that the financial controller got away with approximately £20,000 in 2020.
Invoice fraud is another way that vendor fraudsters can operate. Here, the contact genuinely comes from a real supplier, but this organization has been compromised through hacking.
It allows the fraudsters to request a change in bank account details. They can also send invoices for goods or articles not received. Change in payment details attacks are fairly common, because most companies are less suspicious of existing vendor relationships so don’t consistently check them, and instead put efforts into verifying new suppliers.
Sade Telecom, an electrical network company, fell victim to this type of attack before partnering with Trustpair. The accounts payable received a request to change payment details, and without any verification system, sent their new invoice payments to this account. It was only after the procurement team read a late payment notification that the team realized they had fallen victim to vendor fraud.
Thankfully, the team underwent a complete security audit. They also implemented Trustpair to automatically validate payment details before every payment is made. This ensured they could totally prevent vendor fraud. Not only did it help to improve company security, but it ensured the financial effects would never affect the company again. Up and running within 72 hours, we have since blocked 100% of payment fraud attempts.
Vendor account validation, the ultimate defense against vendor fraud
Vendor account validation is the ultimate way to prevent vendor fraud. It also helps detect vendor fraud red flags. This process involves taking the details listed on the company invoice and comparing them to international databases. The information to verify involves:
- Bank account details, including name, routing number, and account number
- Company details, including name, ultimate beneficial ownership, and whether the company appears on any blacklists
By validating the information, businesses can be sure they are paying who they think they’re paying, and not bad actors. But performing these checks manually in accounting would involve cumbersome back and forth actvity. On top of that, it’s only if you can access the various international databases you’d need.
Instead, automating vendor account validation enables organizations to verify their supplier is who they say they are, and that all their bank and company details match up.
Here’s a recap:
Vendor fraud schemes involve phishing, employee scams, and paying an invoice without receiving goods, services, or having a pre-existing relationship. Protect your business against vendor fraud by validating accounts against international databases in real-time, verifying your supplier, and blocking payments to fraudsters.