A call back procedure is required when vendors change their bank account information, so that accounts payable can authenticate the request before making payment.
Much of the advice out there is that calling back from a trusted telephone number is the gold standard to prevent payment fraud. But in actual fact, businesses must do more to verify a change in details in order to protect themselves from fraudsters.
Learn when companies should use call back procedures and when you need more complete checks, such as automated vendor verification.
Key Takeaways:
- Call back procedures are a way to verify that payment requests are valid, and that the money will go to the right people
- Organizations should use call back procedures when they receive requests to change payment details, or get payment requests without any prior knowledge or authorisation
- Performing a call back procedure is pretty simple: find the contact details from a verified and trusted data source, and call the third party asking them for their bank account information
- Poor scalability, high admin costs and communication reliability issues are all common risks associated with manual call backs
- Choose to automate call back procedures or replace with data verification for secure, real-time and more reliable prevention of payment fraud
What is a call back procedure?
Call back procedures are a type of verification, typically used when third parties request a change of payment details. These requests are not always genuine, so verifying the legitimacy of the request is key. A call back is exactly that: a conversation with the vendor, to their trusted phone number, to check that they submitted the request.
It’s not always vendors though, urgent payment requests can also come from those inside the company; such as the CEO or a direct line manager. Fraudsters use social engineering tactics to pile the pressure on the recipient, including urgency, or the promise of reward. This doesn’t always raise suspicion, but including a call back process as standard in the payments workflow can help protect the company.
When should companies use call back procedures?
Accounts payable staff find call back procedures useful in the following situations:
- When receiving a request for change of payment details
- When they get an urgent payment request from internal staff (without prior notice)
- When onboarding new suppliers
- When receiving an invoice that doesn’t match previous purchase orders
In each of these scenarios, there are risks that a call back procedure can resolve:
1.Change of payment details: risks around account takeover fraud mean that the likelihood the request has come from an impersonator is higher, aiming to redirect the payment to their own account.
A callback process would not only confirm the correct bank account information, but also whether they did indeed file the written request. It would also highlight the account takeover fraud to the client quickly, so that they can respond, manage and limit the damage.
2. Urgent payment request: risks around internal staff account phishing and can leave your systems vulnerable to exploitation. These days, some CEO fraud perpetrators even use SMS (smishing) or phone calls (vishing: voice phishing) to make the attack more believable.
A call back procedure would be helpful as you would already have the correct phone number for the colleague in question, so you can trust that the person on the other end is giving you the correct information. It’s a more reliable source than an incoming contact method.
3. Onboarding new suppliers: the primary risk is that the account information provided may include errors, preventing paid transactions from settling.
Call back procedures act like a double check measure against human error, ensuring that payments arrive on time and only need to be sent once.
4. Invoice that doesn’t match purchase orders: most procurement teams are performing two or three-way matching as part of their due diligence procedures. So when an invoice comes in with different payment instructions, amounts or account details to the original PO, it can raise a few eyebrows.
Call back procedures can help clarify the reason for the variance. Is it a mistake, a fraud attempt, or was the new detail agreed by your colleague, without the subject being communicated? By performing a call back, you’ll get a concrete answer and can decide on next steps accordingly.
How to perform a secure call back procedure?
Performing a secure call back procedure shouldn’t be difficult. Here’s how to complete it with success:
1.Receive emails with suspicion
Never blindly trust an email, especially when the sender is asking for you to take an action. This channel is particularly vulnerable to exploitation, with business email compromise and vendor email compromise scams rife. By receiving all emails with suspicion, you can implement caller procedures when they are needed.
2. Use a verified phone number
Don’t rely on the phone number given to you in the email, as these may also have been manipulated in case of a call back. Instead, find the verified phone number of your contact, which can typically be found in your vendor management database. If you don’t have that data, then head to the verified website of your vendor to find their company phone number.
3. Follow the four eyes principle
The segregation of duties is an essential internal control, ensuring that no single employee has total control over a single process. It protects against risks associated with internal fraud. So when performing call backs, try to call a different member of the team than the one who sent you the invoice or payment request. This circumvents the challenge of maverick spending, better protecting your business.
4. Verify the payment details
It sounds simple, but many call back scripts don’t explicitly ask the recipient to state the approved payment details. If you simply ask if the written agreement is correct, and the receiver says yes, you could miss both mistakes and attempts of fraud. Therefore, ask the receiver to give you the banking details from an independent document, rather than reading the details from the invoice.
What are the common risks and limitations of manual call backs?
There are a few common risks and limitations of manually calling back in each of these situations, including:
- Poor scalability
- Productivity cost
- Not 100% effective in preventing payment fraud
Poor scalability
When procurement teams are making payments to thousands of suppliers every month, one of the key challenges is that performing manual call backs is not scalable.
On any given day, each team member may have five to ten situations where a call back is required. The maths is brutal – an introduction, identity verification and then the all-important bank account verification can take up to half an hour.
Productivity cost
Call back procedures are often viewed as time-sucking activities, and that’s only if you catch the receiver on the first try. When you account for people that don’t answer, and therefore require further chasing, it can get dire.
Due to this stop-start nature, call backs can disrupt the flow of other tasks. Staff are trained not to accept incoming phone calls as part of their validation procedure. So, they can ‘waste’ time closing off any follow up calls that come in.
It could be argued that other tasks, such as making prompt payments to secure early payment discounts, advance the company and add more value than call back procedures.
Not 100% effective in preventing payment fraud
Finally, while call back procedures are strong internal controls in almost every industry, they cannot guarantee reliability in preventing payment fraud.
For example, employees can fail to follow the verification procedures correctly, or fraudsters can intercept the phone systems to receive the call. Both of these can result in attackers slipping through. And it’s more difficult recovering the funds after paying, especially in cases like wire fraud where payments are sent instantly, so cannot be paused.
Furthermore, employees can perform callbacks but still remain suspicious. In this case, you should have an escalation protocol in place, extending the verification and failing to release the funds if you can’t validate the information.
How can automation enhance or replace call back procedures?
Automation can enhance call back procedures by providing efficiency and reliability in fraud prevention measures.
Here is just a flavour of some of the automation technology out there to enhance call backs:
- Scheduled call services: allow third party vendors to schedule the call at a time when it’s convenient for them, without using the procurement team’s time for admin
- Automated reminders and follow ups: automatically contact partner businesses about their scheduled appointments to reduce missed calls
- Intelligent hold and routing services: shorten queue times with intelligent decision-making, and gather data while the receiver is still in the queue
- Outbound dialers: automatic calling which only connects the procurement team once the customer has answered the phone
But these days, many companies find it worthwhile to replace call back procedures entirely. Preferring more effective payment fraud prevention mechanisms, this includes platforms like Trustpair.
Secure payment campaigns fortify your payment accounts with impenetrable security by detecting suspicious behaviour, like abnormal payment amounts or duplicates. Plus, launch instant account validations on unapproved vendors, performing real-time data checks before payment is made.
With traceable decision-making and seamless integrations, Trustpair’s payment security solution completely eliminates the need for call back procedures. It’s especially impactful for procurement teams that want to get their time back, especially during month end.
Call back procedures and preventing payment fraud
Call back procedures are performed when teams want to verify accounts information before making a payment. While they are intended to prevent fraud, call backs have poor scalability, are admin-intensive, and can be unreliable. The better option is to automate payment fraud prevention, completed by Trustpair, to protect enterprise bank accounts.
