Vendor Onboarding 101: How to Build a More Secure and Compliant Process

Top 3 Take-Aways from Our Live Event with AP Guru, Debra R. Richardson

We recently had the pleasure of talking to Debra R. Richardson, LLC., who is using her 20+ years of experience in AP, AR, general ledger and financial reporting for Fortune 500 companies to help AP teams implement authentication

techniques, internal controls and best practices to prevent fraud in the vendor master file. She also has a weekly blog and hosts the podcast: “Putting the AP in hAPpy”.

Last week, I had the honor of presenting at the TMANY 2022 Cash Exchange Conference alongside Christopher Arehart, SVP, First Party Product Manager, North America Financial Lines at Chubb.  We had one hour to share with treasury professionals everything we wanted them to know about vendor impersonation frauds, why they are successful, and how to address organizational risk in the vendor onboarding and management process.  (For the record, I believe Chris and I could actually speak for a solid six hours on this subject, so it was a tall order to fit it into 60 minutes!)

For those of you who were not able to attend the exceptional TMANY event, I offer the following quick takes on our subject:

1. A good vendor impersonation scam will be impossible for your staff to spot. (Yes, impossible).
2. Social engineering losses are generally not covered by crime or cyber insurance policies (or if they are, they have very low limits).
3. If you cannot audit your vendor onboarding and change process, then it’s not actually a process, and it’s likely not insurable.

Let's dig in.

The 2021 numbers are in... and fraudsters are still gonna fraud.

Both the Association of Financial Professionals 2022 Payments Fraud and Controls Survey and the FBI's Internet Crime Report for 2021 recently published, and while there were no big surprises, there were a couple of points that are worth pondering.

All the cybersecurity tools in the world aren’t going to protect your organization from a fraudster who has succeeded in getting your employee to believe a scam.

It’s no secret that fraudsters have figured out how to trick even the most diligent and well-trained employee into believing that they are dealing with their actual vendor. Once they’ve done that, it’s just a matter of time until banking information is changed and the fraudster runs off with money that was intended for your supplier. 

The aftermath of such an event isn’t pretty: bad press, lost jobs, damaged reputations.

Here are three common ways that fraudsters will attempt to trick your employees- and what you should watch out for.

Social Engineering Fraud & Vendor Management: Friction vs. Risk Live Event Synopsis

Social engineering fraud, business email compromise (BEC) fraud and business-to-business payments fraud: three different names, same game. All are a form of a man in the middle attack, where a fraudster sends an email to an accounts payable person to request a change to the banking credentials in the vendor master to divert a valid vendor payment to a fraudulent bank account. This is the largest source of cybercrime from a monetary standpoint and it only continues to increase.

To address this problem, we brought together three industry experts in a panel discussion, “Social Engineering Fraud & Vendor Management: Friction vs. Risk”. Joe Hussey, vice chair at J.P. Morgan, Rob Unger, senior director for product management and strategic initiatives with Nacha and Thayer Stewart, CEO of PaymentWorks, dissected social engineering fraud and how it plays into the vendor management process and specifically what role the battle between friction and risk plays in finding a solution.

Watch a clip below!

Our recent live event, Social Engineering Fraud and Your Vendor Master - Managing the Risk, brought together industry experts – Taylor Nemeth, Head of Payments at PaymentWorks, and Christopher Arehart, SVP and Product Manager of Crime, Financial Fidelity, Kidnap/Ransom and Extortion at Chubb Insurance. (The dynamic duo also happen to be co-authors of the recent white paper “Guarding Against Social Engineering Fraud." Please download a free copy!)

They took a deep dive into the increasingly hot topic of business payments fraud, which they agree is, at the core, an identity problem. This identity problem happens to be a multi-billion-dollar problem which can be attributed to the combined effect of the fact that 300+ billion emails are being exchanged every day across businesses and individuals and that 30% of existing suppliers are changing their information over the course of a year (PaymentWorks database statistic, 2021). This has added up to $28 billion in losses with an average incident loss of over $150,000 (from 2016-2020), a number which has doubled in 2021! (FBI Internet Crime Report 2021.)

The big question on everyone’s mind is how can organizations avoid this problem and avoid the financial and reputational loss that comes with it? Here, we offer you the top three takeaways from this electric and informational event.

With organizations of all sizes around the country continuing to be top targets of fraudsters, everyone talks a lot about ‘being careful’ with vendor onboarding.  But how does 'being careful' avoiding scams actually manifest in the day-to-day duties carried out by those folks tasked with onboarding new vendors and managing vendor changes?  

To find out, we went straight to the source and asked the people who work on the frontlines of vendor management. Here is their advice for keeping your organization off a fraudster’s target list and out of the headlines!

The great news? Many of these pearls of wisdom could be put into play by your vendor desk person as quickly as today. (75% of you deal with an attempted or actual fraud every year!*)

At PaymentWorks, we are passionate about secure vendor onboarding as the lynchpin of secure payments.  When nearly three quarters of organizations have actual or attempted payments fraud scams aimed at them, we know that finding ways to gain peace of mind when it comes to avoiding these scams is keeping a lot of you up at night.  

Think your bank account verification process confirms ownership? Think again.

How procurement and finance departments verify banking information generally falls into these three buckets:

1. Collecting a voided check or account info on bank letterhead
2. Calling the vendor to confirm the change
3. Multi levels of internal approvals for changes

All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters.  If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in. 

Let’s break each one down:

Author note: I had the pleasure of meeting Kristen Drobnis during this past summer.  She was gracious with her time and passionate about risk.  This combination intrigued me so much I immediately asked her if she would be on our podcast.  This podcast and blog are taken from our interview in August 2021.

As the Chief Risk and Privacy Officer for Commonwealth Financial Network, one of the largest privately-held broker dealers in the United States, Kristen Drobnis understands risk as well as anybody. 

And while the word ‘risk’ itself conjures up images of theft, fraud and other treacherous topics, Kristen brings a calm and measured approach to this fascinating industry.

PaymentWorks sat down with Kristen to discuss many topics, including why she loves her job, how to deal with fraudsters intent on playing the long game, and what element of dealing with risk keeps her up at night.

You can listen to the entire podcast here.