Last week, I had the honor of presenting at the TMANY 2022 Cash Exchange Conference alongside Christopher Arehart, SVP, First Party Product Manager, North America Financial Lines at Chubb.  We had one hour to share with treasury professionals everything we wanted them to know about vendor impersonation frauds, why they are successful, and how to address organizational risk in the vendor onboarding and management process.  (For the record, I believe Chris and I could actually speak for a solid six hours on this subject, so it was a tall order to fit it into 60 minutes!)

For those of you who were not able to attend the exceptional TMANY event, I offer the following quick takes on our subject:

1. A good vendor impersonation scam will be impossible for your staff to spot. (Yes, impossible).
2. Social engineering losses are generally not covered by crime or cyber insurance policies (or if they are, they have very low limits).
3. If you cannot audit your vendor onboarding and change process, then it’s not actually a process, and it’s likely not insurable.

Let's dig in.

At PaymentWorks, we are passionate about secure vendor onboarding as the lynchpin of secure payments.  When nearly three quarters of organizations have actual or attempted payments fraud scams aimed at them, we know that finding ways to gain peace of mind when it comes to avoiding these scams is keeping a lot of you up at night.  

Think your bank account verification process confirms ownership? Think again.

How procurement and finance departments verify banking information generally falls into these three buckets:

1. Collecting a voided check or account info on bank letterhead
2. Calling the vendor to confirm the change
3. Multi levels of internal approvals for changes

All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters.  If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in. 

Let’s break each one down:

Author note: I had the pleasure of meeting Kristen Drobnis during this past summer.  She was gracious with her time and passionate about risk.  This combination intrigued me so much I immediately asked her if she would be on our podcast.  This podcast and blog are taken from our interview in August 2021.

As the Chief Risk and Privacy Officer for Commonwealth Financial Network, one of the largest privately-held broker dealers in the United States, Kristen Drobnis understands risk as well as anybody. 

And while the word ‘risk’ itself conjures up images of theft, fraud and other treacherous topics, Kristen brings a calm and measured approach to this fascinating industry.

PaymentWorks sat down with Kristen to discuss many topics, including why she loves her job, how to deal with fraudsters intent on playing the long game, and what element of dealing with risk keeps her up at night.

You can listen to the entire podcast here.

All day long we hear from customers and prospects alike that their vendor master data is ‘a mess’, ‘out of date’ and ‘full of duplicates’.  We have published in the past about the hidden ways your vendor master is costing your organization with both fraud risk and compliance issues, but we understand that many organizations find it to be a challenge to quantify those risks in dollar terms when working towards making an investment in automation and clean up. 

We get it, it can be overwhelming to nail down the myriad ways a messy vendor is costing your organization.  We’ve spoken with countless customers and prospects and gathered for you these three factors you can, and should, consider when creating your cost/benefit analysis.

In the course of building our network and our platform, we did what product people do: we talked to the market.  When it comes to the risk associated with vendor onboarding, everyone we spoke to was united.  However, when it came to how to solve it, consensus was elusive. Vendor management, AP and Procurement personnel know they should not trust banking information that arrives via email.  That is a given. To solve this most seem to focus verifying vendor banking information.  But what, exactly, does that mean?

How banking information gets 'verified', generally falls into these three buckets:

1. Collecting a voided check or account info on bank letterhead
2. Calling the vendor to confirm the change
3. Multi levels of internal approvals for changes

All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters.  The devil, as they say, is in the details. If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in.

We talk a lot (I mean A LOT) around these parts about the constant threat posed to organizations when it comes to business payments fraud.  And you can see why:

• 74% of companies reported they were the target of an actual or attempted payments fraud scam in 2020- AFP Payments Fraud and Controls Survey, 2021
  
  
• Email compromise scams accounted for $2B in losses in 2020 - FBI Internet Crime Report, 2021
  
  
• 62% of financial losses due to social engineering frauds were the result of either an absence of controls, human error, or a process not being followed- Willis Towers Watson database statistic, 2020

The problem is, numbers this huge can tend to make a problem seem unknowable and unsolvable.  Especially since we very rarely get to learn exactly what happened. When an organization suffers financial losses due to a fraudster, they are usually unwilling or unable to share the details publicly, so the financial community as a whole doesn’t get to learn anything that could help them to avoid the same fate. 

Until now.

Julie-Anne White isn't going to argue that having a clean vendor master file is more important to a company than generating sales and growing revenue. (Because it isn't.)

But that doesn't mean the financial industry veteran thinks companies should penny pinch by failing to devote resources to vendor management. (Because they shouldn't.)

We interviewed Julie-Anne on the importance of accurate vendor information for our Risky Business podcast.  You can listen to the entire interview here.

"I feel as if I am holding a hand grenade with the pin pulled."

This is an actual quote from one of our customers, before she was a customer.  We hear versions of this all of the time when we speak to prospects. People are scared.