The risk of security breaches within accounts payable is growing as bad actors work tirelessly to infiltrate companies through Business Email Compromise (BEC), email spoofing, phishing, and other methods. Since these attempts are ultimately focused on getting access to your funds, the supplier payment process is particularly vulnerable – and often more than companies can, or want to, handle by themselves.
According to the 2020 AFP Payments Fraud and Controls Survey, breaches and instances of fraud are becoming all too prevalent: 81% of companies experienced payments fraud or attempted fraud in the previous year. That has become a key reason why many companies are turning to AP automation solution providers to fully manage and optimize their payments. These providers have the dedicated staff, best practices, and robust security technology and process controls needed to protect supplier payment information.
Offload Supplier Management to Minimize AP Security Risks
There are three areas where AP teams are particularly vulnerable to fraud. By offloading management of supplier payment details to the right payment service provider, they can take this security burden off their shoulders while strengthening protection of this sensitive data.
1. Collecting supplier data.
Contacting a supplier to gather payment information and recording it into your system is not as straightforward as it may sound. For example, if you’re paying by check, your AP clerk needs to retype the supplier’s address from a paper or scanned invoice into the system. This process opens up the possibility for human error as well as security issues, particularly if payment is mailed to the wrong address.
If your company is paying by ACH, the room for error increases. AP staffers have to call or email suppliers to gather sensitive bank account and routing information. They have to make sure they are communicating with the right person and that they didn’t make any mistakes when entering this information into your ERP or payment system.
To avoid the risk of ACH fraud and other issues, a best practice is to verify any supplier information entered into your system with two people. However, given the realities of a busy AP department, where people don’t have time and no one is dedicated to the task of collecting and verifying this information, verification often goes by the wayside and mistakes happen.
2. Storing the data.
One way to keep your data safe is limiting access to a very limited number of trusted individuals. Even if there is no malicious intent, a staffer’s laptop with supplier information may be stolen, making this sensitive information vulnerable to theft.
A best practice is to prevent access to the system through strong security measures and encrypted data. For instance, MineralTree grants access to systems based upon role, least-privilege and need-to-know principles and performs regular internal audits to confirm only authorized users have access. In addition, all data is encrypted in transit over the public internet and sensitive data (e.g., PCI, PII, and PHI) is encrypted at rest with strong ciphers.
3. Maintaining the data.
This, unfortunately, is typically a sweet spot for fraudsters and an area where companies can run into the most trouble. While companies are contacted by suppliers from time to time to change payment information, how do they know that it is a legitimate request and the requester is really from the supplier’s organization?
Vendor email compromise is particularly prevalent during account maintenance. With this particularly insidious form of BEC, a bad actor sends a fake invoice or request to change payment details from an email address that spoofs the supplier’s email domain or from a legitimate email account that has been hacked. In either case, the request appears to be coming from the supplier. In addition, companies might receive inbound calls from fraudsters requesting changes to bank information. Unfortunately, given the length of the invoice and payment cycles, bad actors can often get away with a company’s funds long before it is noticed.
To prevent these hacks, best practices include calling a company back at a known telephone number to verify the requested changes, and requiring these requests be submitted in writing as well as verbally. Another best practice is to use virtual cards as much as possible. They provide rigorous built-in security measures, including a randomly generated number, and authorization for a specific dollar amount for one-time use only.
With an AP automation provider who manages and optimizes your payments, you get a dedicated team that constantly enforces these security best practices and more. Because these teams are working with so many companies, they have strong relationships and are in regular contact with suppliers. This familiarity helps prevent fraud, in addition to the stringent data security measures and technology they implement throughout the payment process. A supplier portal can be helpful as well, enabling the suppliers to enter the information directly into the system, eliminating risk of human error or fraudulent requests.
As the threat of fraud grows, so does its impact. In addition to the financial implications that companies must face, it also hurts their relationships with suppliers, who often end up getting paid late, taking a hit to their cash flow, and losing confidence in the buying organizations. With fraudsters showing no indication of slowing up, it’s important to offload the security burden to your AP Automation provider, who can work smarter to thwart them at every turn.