Check Payment Method? Still Needs to be Protected from Cybercriminals

In last week’s blog post “4 Steps to Protect Your Vendors Banking from Being Changed by a Cybercriminal Includes a Critical Step Most Companies Leave Out” after identifying ways to protect your vendor master file from being updated with fraudulent banking, I warned that those who thought they were immune to cybercriminals because they only issue check payments were in for a surprise.

True story at an event this year I was at a table talking about fraudulent payments in general and a statement was made that there was no need to worry for their entity because they wrote mostly checks.  I then explained that not only all payment methods, but all the vendor contact information in your vendor master file that is used to confirm vendor banking changes for example, needed to be protected. 

Phishing and the Check Payment Method

There are internal controls surrounding both the physical check such as use blank instead of pre-printed check stock and lock it up, don’t take checks to the mail room until they are ready to be collected,  and use positive pay to prevent fake checks from being cashed.  These controls and more, should be implemented. 

What I am talking about in this blog is a cybercriminal successfully changing a vendor’s remit address to reroute check payments. 

Even if the cybercriminal does not deposit the check (or create fake checks), they now have critical vendor data included on the check stub such as:

  • Vendor name

  • Vendor dba

  • Vendor number

  • Invoice number

  • Invoice amount

  • Date Paid

  • Check number

  • PO information

Depending on how many invoices are included on the check stub, they may be able to see average invoice amounts.  Next, they may be able to submit fake invoices that match the trending invoice amounts and invoice numbers that won’t stick out on any reporting that is reviewed and have another payment go out before the vendor contacts Accounts Payable (AP) to inquire about their payments.  Remember the cybercriminal may have more time to perpetrate a fraud because your real vendor may not recognize that the payment was rerouted until it’s too late due to normal delays that may be expected with check payments.   

Bottom Line – Protect Your Vendor’s Remit Address

How do you do that?  Very similar to your vendor’s banking.   To change an existing vendor’s remit address information, implement these 4 steps:

1.       Create or Update Your Vendor Setup Form and Require it for Remit Address Changes 

a.       Include “Old” and “New” Fields.  Did your vendor move or is this an additional location?  Instead of having AP Vendor Maintenance guess, or worse, keep adding addresses to the vendor record (or vendor records, or partners), you have a way have the vendor clearly tell you.  Requiring the old address can serve as an authentication especially if you also ask for the Tax ID.

i.      Bonus:  Combine it with a W-9 and call it a Substitute W-9 Vendor Setup Form.   The IRS allows a combination of the Substitute W-9 with a company form.  This way you can capture not only the information you need to determine whether the vendor is reportable or not, but you can also include any information your company needs to complete vendor onboarding or additional fields on the vendor record.     

ii.      Worth Considering:  Adding other vendor critical data on the vendor record.  You use email addresses and telephone numbers to send remittance advices, verify changes and for notifications of changes made.  Protect this data by requiring this form for changes in these fields as well.   

b.       Require a signature.  Accept a wet signature or a digital signature.  Also require a printed or typed name and phone number. 

2.       Verify the New Address is Real.  This validation may be built into your system depending on your ERP if you have PeopleSoft, SAP, for example.  If not, check with USPS vendor by vendor, TINCheck.com or other try 3rd Party Providers.  Some 3rd Party Providers can not only identity whether the address is a valid address, but also whether the address matches the vendor. 

3.       Contact the vendor to confirm the change.  Call the vendor to verify the change.  Create a new email to the vendors email address on file.  No phone number or email address on file or unable to locate elsewhere (contract, URL, etc?), then send a letter.  Better snail mail than hoping to recover a fraudulent payment.  Then put a process in place to require a telephone number and email address for all new vendors and start a project to obtain that information from your vendors for future confirmations.  Also, keep in mind that vendors may not respond right away, so you will need to put a process in place to track.

a.       Can you skip this step?  Maybe.  If the vendors payment method is not check AND you have a system to send the notification to the vendor after change.  That notification can be enough to alert the vendor that a change has been made.  Review your processes to verify this is possible.

4.       Lastly, send a notification to the vendor after the change.  This is the same experience we have when we change our information on Amazon or with our bank.  Read more on my blog post here.

To requote a line from last week’s blog “Yes – all of this will take more time, and it should since you are protecting your company’s assets by protecting the vendor master file from fraud.”  Again the best solution to be efficient is a Vendor Self-Registration portal and make sure it includes vendor authentication, masking of the bank account and tax id, required validations, and vendor notifications.  The vendor can authenticate themselves then update or submit vendor record changes within the portal and the portal can validate, update and send them a confirmation of the change. 

What did I miss? Does your department add another validation or confirmation? I’d love to hear about it – comment below or email me at debra@debrarrichardson.com.

Looking for a Substitute W-9 Vendor Setup Form? Get the Toolkit here.

DEBRA+R+RICHARDSON.jpg

Debra R. Richardson,

MBA, APM, APPM, CPRS

Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.

For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.