Social Engineering Fraud & Vendor Management: Friction vs. Risk Live Event Synopsis
Social engineering fraud, business email compromise (BEC) fraud and business-to-business payments fraud: three different names, same game. All are a form of a man in the middle attack, where a fraudster sends an email to an accounts payable person to request a change to the banking credentials in the vendor master to divert a valid vendor payment to a fraudulent bank account. This is the largest source of cybercrime from a monetary standpoint and it only continues to increase.
To address this problem, we brought together three industry experts in a panel discussion, “Social Engineering Fraud & Vendor Management: Friction vs. Risk”. Joe Hussey, vice chair at J.P. Morgan, Rob Unger, senior director for product management and strategic initiatives with Nacha and Thayer Stewart, CEO of PaymentWorks, dissected social engineering fraud and how it plays into the vendor management process and specifically what role the battle between friction and risk plays in finding a solution.
Watch a clip below!
Watch the entire discussion here!
Here are our top takeaways from this fascinating conversation:
Education, Education, Education
Fraudsters are getting even more sophisticated (we’re talking next level stuff like AI voice cloning to scam an organization out of $35 million) and they're always going to be attacking and probing for weaknesses which is why it is so important to stay educated.
However, even when employees are educated, best practices are not always followed. This can be the case with "out of band" verifications when it comes to an email request to change bank account information, which is not an easy thing to do if you’ve got hundreds or thousands of suppliers. According to Rob, “We know from some of our surveys that not everybody verifies that out of band with a phone call. That solution doesn't always scale.”
Joe utilizes multiple training tools to ensure his staff receives between 10-15 hours of fraud-related training each year. He said, “Education is a very difficult thing. It has to be done upfront and then it needs to be done at least annually. Without it, people will forget and will stray away from those standard protocols. Keeping it in front of employees is key.”
So how can you keep employees engaged? Joe recommends sample testing; sending employees emails to see how they respond. “In this case, we kind of need that level of audit, and I hate to use that word because everyone cringes when you say audit, but that auditing of, ‘Show me your last 50 vendor changes. How did they occur? Show me the steps that were validated in them’."
Strike a Balance Between Risk and Cost
We know that even with automation, which is the only way to truly prevent fraud, humans will always play a role in the process. Gatekeepers and decision ma kers will always play a part. But how to find the right balance remains the toughest part to get right. Thayer elaborates on the heart of the issue in this clip:
The bottomline seems to be that even with the best internal defense in place, anytime you have an exchange of information, you have an opportunity for fraud. This is why Rob feels that while having policies, adding automation and defining risk tolerance does indeed add pressure to internal personnel who are following the controls and adds customer friction, it’s simply what has to be done.
Put Your Vendors to the Test
When it comes to truly tackling the risk of fraud, Joe states: “Being nimble and being automated is the only way you do this.” So, what should you look for when partnering with a vendor to automate supplier onboarding?
Rob said that it depends on your risk tolerance, your internal policy and how far you want to go, but at minimum, a solution should do the basics in validating name, tax ID, address and managing compliance, and you should re-verify the solution at least annually. Joe takes it a step further and advises his clients to be really careful when selecting a vendor package that's already attached to something else you bought or purchased. He elaborates in this clip:
This underscores why it is so important to choose a vendor who is committed to evolving to meet the ever-changing needs of organizations in today’s world, because if there is one thing we’ve established, it is that fraudsters are never going to rest, so neither should your vendor onboarding partner.
Want to Learn More?
Blog: The ROI on a Clean Vendor Master
White paper: Guarding Against Social Engineering Fraud: Re-examining a Global Problem