Help Your Vendors Safeguard Your Company from Cyberattacks
September 13, 2023
When it comes to phishing, scams and other types of fraud, bad actors play their villainous roles to near-perfection — and too often, they get a fat paycheck for your trouble. One of the lesser-known avenues for a cyberattack is through what most companies consider trusted allies: the vendors they do business with.
Creating a comprehensive vendor management program and keeping it current can help safeguard against these dangerous and costly attacks. By working closely with vendors and trusted banking advisors, you can create a strong first line of defense to stop fraud before schemes take hold.
Verification is the unifying factor
Those at the highest risk of being defrauded often believe they’re safe. Vendors may not know they’re opening the door to scammers. But opportunistic thieves look for vulnerabilities, then patiently wait until they can attack.
A commonly known crime some criminals use is check-washing, removing and altering information from a paper payment. The modern version of this scheme involves recreating checks intended for the vendors, using the same dollar amount and serial numbers, but having the check payable to the fraudsters themselves. Enrolling in Payee Positive Pay1 may offer a strong way to mitigate all types of check fraud. With this tool, companies provide the bank with a list of checks written. The bank compares presented checks to the list for accuracy before paying them.
Another typical scenario involves bogus invoicing schemes: Fraudsters monitor company or vendor email and discover ways to submit a fraudulent invoice. A lack of proper verification can allow payment of the invoice.
How to protect yourself? Due diligence can provide a unified line of defense to spot tell-tale signs of fraud, such as two checks or invoices with the same number or invoices that suddenly crop up from a previously inactive vendor.
Implementing vendor management protocols
Whether your company is large or small, a successful vendor management system can guard against cyberattacks. Understanding each vendor relationship can ensure their validity and vet their fraud protection measures. Your plan may include:
Centralized vendor management: One point of contact can ensure you are monitoring all vendors in your company’s ecosystem. Depending on your company’s size, this may be part of one individual’s job, or it may be an entire department. What’s most crucial is to avoid vendor management being “catch as catch can.” When each individual or department manages their own vendor relationships, you risk having no one addressing the big picture — and fraud can slip through the cracks.
Segregation of duties: This standard financial management tool applies to fraud prevention, too. The same person should not receive an invoice for payment and cut the check or issue the transfer order. Similarly, the same employee should not onboard and pay a vendor. These safeguards make sure teams have each other’s back in terms of monitoring financial processes.
Vendor classification: A well-thought-out framework can enable you to track the risk level of vendors and monitor those you frequently use versus those that are inactive. Vendor management systems can categorize vendors into low-, medium- and high-risk categories for your business. Then, you can establish a set of procedures to deal with each. Be sure to review and update these classifications periodically.
Strong onboarding policies: You may wish to require vendor management involvement during vendor selection and payment processes. When you onboard vendors, it’s smart to engage the company legal department or counsel to review and validate the vendor contract and then forward a fully signed contract to the bank for payment setup, with W-9 information checked for accuracy.
Consistent vendor management: Again, consistency matters. Reviewing vendor accounts daily can identify potential concerns early, such as unexpected or repeated activity. Ensure that the company team understands how to document appropriate processes and consistently uses them. And it’s essential to stay vigilant with record-keeping. For example: Review each payment, especially new vendor payment requests or any unusual request from a board member. One major red flag is a request to change the payee information for a vendor — the key component of business email compromise (BEC). In many cases, even if your company has a callback process to confirm details, the fraudster will try to trick the victim into calling a number controlled by the fraudster. It is critical that an outbound call is made to a number on file for the vendor, and a known contact confirms the change, before modifying any payment instructions.
Bank support on many levels
Bank of Nevada is heavily invested in helping clients prevent fraud. As a key part of our Treasury Management2 tools, we offer a full suite of fraud protection options. Your banker and relationship manager can help you arrange the following:
Sophisticated digital treasury management solutions that maximize efficiency and help prevent fraud. Talk to your banker about solutions to protect your accounts, including AP automation, ACH Debit Block3, ACH Positive Pay1, Check Positive Pay1, Payee Positive Pay and API integrations.
Secured payment and deposit methods, such as paying vendors with ACH credits rather than allowing ACH debits and using one dedicated computer for critical online banking functions.
Direct integration with bank accounts to eliminate avenues where fraud can slip through.
1. Requires enrollment in Business Online Banking. Refer to disclosures provided at account opening, the Business Schedule of Fees, and Pro Forma for additional information.
2. All offers of credit subject to approval. Some products and services may be subject to prior approval or fees. Please contact a Treasury Management Advisor and Relationship Manager for additional details that may apply based on products and services selected.
3. All offers of credit are subject to credit approval. This functionality is based on the National Automated Clearinghouse Association (NACHA) 2017 rule adopting Same Day ACH Origination Solution as amended in 2020. Requires enrollment in Business Online Banking. Some products and services may be subject to prior approval or fees. Refer to disclosures provided at account opening, the Business Schedule of Fees, and Pro Forma for additional information.