Increasingly the following is becoming a familiar scenario:
A vendor contacts the Accounts Payable team to say that they have not received their funds. Accounts Payable researches and found that they did indeed pay the invoice(s) in question. When the vendor insists, they verify the vendor’s bank account where the money was sent only to discover that it was not the vendors’ bank account. Then the Accounts Payable team does more research to find out that a cybercriminal was successful in getting their team to change the vendors bank account.
Another example is with the City of El Paso, TX where they discovered they sent $2.9M and $300K payments to a fraudster but they only recovered $1.6M and $292K respectively. Following this incident, they implemented verifying with the vendor before changing any banking information.
Now whether your company has been the victim of the same scenario or a breach of vendor sensitive data (tax id, banking information) these four (4) steps will reduce the potential of sending fraudulent payments.
To change an existing vendor’s banking information, implement these 4 steps:
1. Create a Branded Vendor Banking Form
a. Do not accept banking information in the body of an email. An email with banking details does not provide the authentication criteria that you can build into the form.
b. Change it every year. Yes, every year so you or your team can be on alert if they receive an old form. Received an old from form what could be the real vendor? Create a new email and type in the email address you have on file and request that they complete the new form.
c. Require authentication on the form. What does that mean? For existing vendors, It means require either old banking or the last three deposit dates and amounts in order to change the bank account. No, not everyone at your vendors place of business will have that information, but they can give the form to someone who does. It should never be easy to change a vendor’s bank account.
For this to work….Mask banking information and/or payment information from any team member that does not need access. You don’t want the cybercriminal getting the bank account or payment information from “Helpful Sally” then using it to authenticate on the form.
d. Require a signature. Accept a wet signature or a digital signature. Be careful with creating a PDF form with a digital signature built into the form. For some users, Windows 10 defaults PDF files to Microsoft Edge which can cause an error when they try to open the form. To avoid many emails or calls from vendors saying they cannot open the form, better to remove the digital signature feature and let the vendor use their own digital signature tool to sign if they have one. Require that the signature has a date and/or a PIN affixed.
2. Confirm that the bank account number and bank account name match bank records. This is a critical step that most companies leave out because they are unaware that the service exists. Just like you confirm that the vendor’s Legal Name and Tax ID match IRS records, confirm that the bank account number and bank account name match. How? Does your company bank at Bank of America, Branch Banking & Trust (BB&T), Capital One, JPMorgan Chase, or Wells Fargo? You may be able to go directly to Early Warning to use the solution directly. If not check out one of their resellers that include GIACT Systems.
3. Yes, then contact the vendor to confirm the change. Once you receive the branded banking form and have confirmed the information matches what you have on file, use the existing information on the vendor record to contact the vendor. Call the vendor to verify the change. Create a new email to the vendors email address on file. No phone number or email address on file or unable to locate elsewhere (contract, URL, etc?), then send a letter. Better snail mail than hoping to recover a fraudulent payment. Then put a process in place to require a telephone number and email address for all new vendors and start a project to obtain that information from your vendors for future confirmations. Also, keep in mind that vendors may not respond right away, so you need a way to track. If the vendor does not respond in say 24-48 hours, do not process the request, do not reply to the source email.
4. Lastly, send a notification to the vendor after the change. This is the same experience we have when we change our information on Amazon or with our bank. Read more on my blog post here.
Yes – all of this will take more time, and it should since you are protecting your company’s assets by protecting the vendor master file from fraud. Want to be efficient? Implement a Vendor Self-Registration portal and make sure it includes vendor authentication, masking of the bank account and tax id, required validations, and vendor notifications. The vendor can authenticate themselves then update their own bank account and the system can validate and send them a confirmation of the change. Already have one and it’s missing key elements? Supplement by having the team perform what’s missing.
For all the check payers out there – you’re not safe. Yes, cybercriminals reroute check payments by changing the remit address, same as they do with changing bank information. Next week’s blog.
Debra R. Richardson,
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.