How to Identify and Prevent Vendor Impersonation Scams

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

How to Identify and Prevent Vendor Impersonation Scams

Cybersecurity insights about increasingly common payment diversion scams

Scammers are more sophisticated in their attempts to defraud businesses. One of the most common scams is where an imposter pretends to be a vendor of a trusted company and sends new invoice payment instructions. In 2020, The National Automated Clearing House Association (Nacha), reported 75,000 vendor impersonation schemes which resulted in losses of over $2.7 billion.

Example of a Vendor Impersonation Scam

A hacker gains access to ABC Services Company’s system and Ann Brown, an employee’s email account. The hacker uses Ann Brown’s email to send an email to ABC Services Company’s client, Smith Corp, informing them that invoice payment instructions have changed. The hacker directs Smith Corp to wire all future payments to a different bank in Sweden.

Smith Corp directs invoice payments to the new bank which total over $65,000.

Smith Corp discovers the fraud when an ABC Services Company employee contacts them regarding unpaid invoices.

This is one example. Other variations of the vendor impersonation payment scam could include directions to update the bank account and routing number. Responding to these types of attacks in a timely manner can be particularly difficult because there can be significant delays in the detection of the scam. The fraudulent act is not usually revealed until a company’s client sends a reminder about a payment that is due.

Steps your company can take to avoid payment and phishing scams

1.Train Your Employees

Your best defense is an informed workforce.

2. Verify the Request

If you receive an email or phone call requesting a change in payment instructions,

  • Verify the request with the vendor using a known phone number or email address.
  • Do not use the contact information provided in the email.

3. Check the Invoice

Scammers often create invoices that look similar to invoices your company is already used to receiving. They may include names and logos from the vendor they are impersonating. Scammers know that when the invoice is for something critical, like keeping your website up and running, you may pay first and ask questions later. However, if you pay, you may not retrieve those funds. It is important to set up a review process for all invoices your company receives.

  • Match the invoices submitted by a vendor against financial documents like purchase orders and payment receipts.
  • Validate any payment requests received via email. Call the sender at a phone number known to your company and verify the request.

4. Use Secure Payment Methods

Scammers use untraceable payment methods. They often want payment through wire transfers, reloadable cards, or gift cards that are nearly impossible to reverse or track. Use secure payment methods that can be traced and reversed if necessary.

5. Establish Effective Internal Controls

To effectively combat vendor fraud, organizations need to establish effective internal controls.

  • Segregate duties so that no one individual is in a position to control all parts of a business transaction.
  • Implement dual controls by requiring two users to be a part of a transaction. Vendor fraud thrives in organizations where just one employee vets vendor invoices.
  • Conduct regular audits of both your business transactions and your IT infrastructure.
  • Perform periodic reviews of changes made to the vendor master file by someone that is independent of the vendor setup process.

6. Be Aware of Common Scams

Scammers regularly find new ways to collect your financial data.

  • Be aware of these scams and take steps to prevent them.
  • Build a network of business peers who can share information about new cybersecurity threats they become aware of.

By following these tips, businesses can protect themselves from scams, including vendor impersonation. It is important to be vigilant and to question any unusual requests. By doing so, businesses can avoid falling victim to these scams and protect their financial resources.

To learn more about protecting your business from the latest cybersecurity threats, access Keiter Technologies’ collection of free cybersecurity resources by clicking the Infosecstack icon below.

Access the infosecstack collection - VA Cybersecurity Services

For assistance meeting your company’s cybersecurity governance needs, contact our Keiter Cybersecurity Specialist today.

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us