By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Cybersecurity insights about increasingly common payment diversion scams
Scammers are more sophisticated in their attempts to defraud businesses. One of the most common scams is where an imposter pretends to be a vendor of a trusted company and sends new invoice payment instructions. In 2020, The National Automated Clearing House Association (Nacha), reported 75,000 vendor impersonation schemes which resulted in losses of over $2.7 billion.
Example of a Vendor Impersonation Scam
A hacker gains access to ABC Services Company’s system and Ann Brown, an employee’s email account. The hacker uses Ann Brown’s email to send an email to ABC Services Company’s client, Smith Corp, informing them that invoice payment instructions have changed. The hacker directs Smith Corp to wire all future payments to a different bank in Sweden.
Smith Corp directs invoice payments to the new bank which total over $65,000.
Smith Corp discovers the fraud when an ABC Services Company employee contacts them regarding unpaid invoices.
This is one example. Other variations of the vendor impersonation payment scam could include directions to update the bank account and routing number. Responding to these types of attacks in a timely manner can be particularly difficult because there can be significant delays in the detection of the scam. The fraudulent act is not usually revealed until a company’s client sends a reminder about a payment that is due.
Steps your company can take to avoid payment and phishing scams
1.Train Your Employees
Your best defense is an informed workforce.
- Sharpen your employees’ awareness of cyber threats and help them learn how they can play a role in defending your company.
- Train them to be vigilant and to question any unusual requests.
- Provide an employee education and awareness program to keep employees up to date on the latest fraud techniques and threats.
- Frequent employee training on how to recognize malicious actors is an essential piece of any cybersecurity plan.
2. Verify the Request
If you receive an email or phone call requesting a change in payment instructions,
- Verify the request with the vendor using a known phone number or email address.
- Do not use the contact information provided in the email.
3. Check the Invoice
Scammers often create invoices that look similar to invoices your company is already used to receiving. They may include names and logos from the vendor they are impersonating. Scammers know that when the invoice is for something critical, like keeping your website up and running, you may pay first and ask questions later. However, if you pay, you may not retrieve those funds. It is important to set up a review process for all invoices your company receives.
- Match the invoices submitted by a vendor against financial documents like purchase orders and payment receipts.
- Validate any payment requests received via email. Call the sender at a phone number known to your company and verify the request.
4. Use Secure Payment Methods
Scammers use untraceable payment methods. They often want payment through wire transfers, reloadable cards, or gift cards that are nearly impossible to reverse or track. Use secure payment methods that can be traced and reversed if necessary.
5. Establish Effective Internal Controls
To effectively combat vendor fraud, organizations need to establish effective internal controls.
- Segregate duties so that no one individual is in a position to control all parts of a business transaction.
- Implement dual controls by requiring two users to be a part of a transaction. Vendor fraud thrives in organizations where just one employee vets vendor invoices.
- Conduct regular audits of both your business transactions and your IT infrastructure.
- Perform periodic reviews of changes made to the vendor master file by someone that is independent of the vendor setup process.
6. Be Aware of Common Scams
Scammers regularly find new ways to collect your financial data.
- Be aware of these scams and take steps to prevent them.
- Build a network of business peers who can share information about new cybersecurity threats they become aware of.
By following these tips, businesses can protect themselves from scams, including vendor impersonation. It is important to be vigilant and to question any unusual requests. By doing so, businesses can avoid falling victim to these scams and protect their financial resources.
To learn more about protecting your business from the latest cybersecurity threats, access Keiter Technologies’ collection of free cybersecurity resources by clicking the Infosecstack icon below.
For assistance meeting your company’s cybersecurity governance needs, contact our Keiter Cybersecurity Specialist today.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.