In the course of building our network and our platform, we did what product people do: we talked to the market. When it comes to the risk associated with vendor onboarding, everyone we spoke to was united. However, when it came to how to solve it, consensus was elusive. Vendor management, AP and Procurement personnel know they should not trust banking information that arrives via email. That is a given. To solve this most seem to focus verifying vendor banking information. But what, exactly, does that mean?
How banking information gets 'verified', generally falls into these three buckets:
- Collecting a voided check or account info on bank letterhead
- Calling the vendor to confirm the change
- Multi levels of internal approvals for changes
All of these seem, on the surface, to be solid, but are not infallible in defending the vendor master from infiltration by fraudsters. The devil, as they say, is in the details. If your organization is relying on any of these three ways to ensure the validity of your vendor master file's banking info, you are likely leaving holes wide enough for a fraudster to walk right in.
1.Collecting a voided check or account info on bank letterhead
As a verification tool, this practice started before the digital age, when vendors needed to snail mail a W9 and their remit details. And it largely worked. The chances of a fraudster intercepting this piece of mail, steaming open the envelope, swapping out documents and getting this back into the mail stream and delivered, undetected, were close to nil. Vendor impersonation, as we know it today, was extremely difficult in this world.
But in the age of digital communications, with email as our trusted delivery source, these documents are now so vulnerable we’d argue they are meaningless. They are easily forged. Emails are easily hacked or spoofed. Most importantly, a piece of paper does nothing to confirm the ownership of the bank account being offered to you. I can type any business name I want and then put my personal banking details under it. Paper, quite simply, is not proof of the authenticity of the information on it. (For more on authenticity and why that matters- listen to our recent podcast with David Birch.)
If you are still collecting these documents via email to confirm banking changes, we urge you to stop this practice immediately. It’s simply too easy to fall for a fraud this way. Ask the cities of Peterborough or Albuquerque or Rock Island County or Lucas County or this unnamed county in New Mexico or Toyota Boshoku or… you get the picture.
|How do your AP staff know they are speaking to the legitimate vendor when the returned call is from an unrecognized phone number?|
Calling the vendor to confirm the change
In the pre-Covid world, this technique was pretty solid. You could look online for an official corporate website, and call that number and ask for the accounts receivable folks would confirm (or not) the information your AP folks had on file. Simple.
In the Covid world, this is no longer a fail safe. Consider all of the AR staff who are now working remotely. They may call to check voicemail, but when they call you back, it’s not from the official number that you used, it’s likely from a cell phone. How do your AP staff know they are speaking to the legitimate vendor when the number is unrecognized? If you cannot get the right person on the phone with an outbound call, and you cannot authenticate the number they are calling from, you cannot be certain the call is from the legitimate vendor.
Multi levels of internal approvals for changes
More eyes on a problem can certainly help, and we encourage you to always have multiple levels of approvals when it comes to any vendor and payment related information; however, using only internal approvals as a means to ‘verify’ the validity of vendor information is borderline reckless. Not only does it lack formal controls of any kind, but the pressure the people in these positions now have as your only defense is surely keeping them up at night.
None of these three methods solve your actual problem: the problem of paying a fraudster. There is no peace of mind when you are not certain your process has done enough. And we've seen it again and again, true peace of mind cannot be achieved with increasingly stringent means for your staff to verify every digit on every payee bank account with every payment being made.
True peace of mind is knowing your staff are no longer vulnerable to being tricked. Knowing your payments have security. Knowing you are paying who you intend to pay, and that you aren’t liable for any mistakes.
Re-examine the current process you are using to verify the validity of vendor banking information and ask yourself: "Are my employees losing sleep worrying about being tricked?" If the answer is yes, invest some time and resources into shoring up your defenses, before it's too late.
To learn how PaymentWorks can help your team to sleep better tonight, read our case study with Cabarrus County or watch a 2-minute clip from our joint presentation with the county at the 2021 Nacha Smarter Faster Payments Conference.
Need help in examining your vendor onboarding process?
Check out our free guide: