According to a 2022 report by the Association for Financial Professionals (AFP), 71% of organizations surveyed experienced attempted or actual payments fraud in 2021. Vendor fraud is one common type of fraud used by scammers to steal from businesses of all sizes. It often involves faking vendor information to redirect payments from the accounts payable (AP) team to a fraudster’s account. Whether committed by an internal employee, an outside third-party, or a combination of the two, the goal of vendor fraud is ultimately the same: to steal funds. Let’s take a closer look.
What is Vendor Fraud?
Vendor fraud is a type of financial fraud where the perpetrator deceives an organization into making payments to fraudulent accounts. Fraudsters typically accomplish this by faking vendor invoices or recipient payment information.
This type of fraud is committed by anyone with access to vendor or payment information, including internal employees, staff from a vendor’s organization, or outside third parties who have stolen relevant account information. This last group is most commonly responsible for committing vendor fraud, most often by swapping out the vendor’s payment information with their own to redirect then steal funds.
These external bad actors can obtain necessary payment information through a variety of tactics, including: social engineering, hacking, or phishing scams. Successful vendor fraud attempts can be devastating for organizations, causing significant financial losses and reputational damage. Therefore, it is crucial for businesses to implement effective measures to prevent and detect vendor fraud before it’s too late.
What are Examples of Vendor Fraud?
Understanding the common types of vendor fraud helps organizations better protect themselves from falling victim to similar schemes. Here are just a few examples of vendor fraud to look out for.
Check tampering is another common type of vendor fraud where a fraudster alters or forges checks to divert funds to their account. The fraudster may steal a check from the organization or intercept a check that is meant for a legitimate vendor, then alter the payee information or amount on the check.
Alternatively, the fraudster may create a fake check using stolen or fabricated information. In some cases, the fraudster may also intercept a check and then deposit it into their own account before it reaches the intended recipient. According to the AFP report, check tampering was one of the most prevalent methods for payment fraud, with 66% of survey respondents indicating check fraud issues in 2021.
Business email compromise (BEC) emails are a type of cybercrime where a fraudster gains access to an organization’s email system and then impersonates a senior executive, vendor, or supplier to trick an employee into transferring funds or providing sensitive information. This type of fraud often involves social engineering tactics, such as creating fake email addresses or domain names that appear to be legitimate. According to the 2022 AFP report, AP departments continue to be the most susceptible to BEC, with 58% of survey respondents indicating that their AP department was compromised through an email scam in 2021.
One common form of BEC fraud involves a fraudster impersonating a vendor and requesting a change to their payment information. The fraudster may ask the organization to update their payment information to a new account, which is actually controlled by the fraudster, leading to funds being transferred to the fraudulent account.
Who is at the Highest Risk for Vendor Fraud?
Vendor fraud can happen to any organization, but small and medium-sized organizations are particularly vulnerable. These organizations often have less robust security measures in place, making it easier for fraudsters to obtain the information they need to steal funds. Additionally, small teams often rely heavily on a few employees to execute the vendor and payment functions, which can lead to overburdened staff and increases in human error. Smaller teams can also lack the resources to segregate AP duties as typically recommended. This creates opportunities for individuals to manipulate payments and records without getting caught.
Larger organizations have more resources and established protocols in place to minimize the risk of fraud. These can include: risk assessments, internal controls, and trained staff to detect and prevent fraud. As a result, fraudsters tend to view larger organizations as harder targets but it doesn’t mean they’re totally in the clear.
It’s important to note that vendor fraud can still occur at large enterprises. Even with robust internal controls and security measures, fraudsters constantly find new ways to exploit weaknesses in security systems and processes. That’s why it’s important for all organizations, regardless of size, to remain vigilant and proactive in their efforts to prevent and detect vendor fraud.
How to Spot Vendor Fraud
Identifying vendor fraud can be challenging, but there are certain warning signs that organizations should look out for. Here are some common red flags:
Payments that Deviate from Normal Procedures
Any payment that is significantly different from past payment history, such as payments made to a new vendor or a vendor not previously used, may be a warning sign.
Low Dollar Inconsistencies
Fraudsters often make small adjustments to payment amounts to avoid detection. Look for payments that are slightly different from what is expected, as these small inconsistencies may add up over time.
Duplicate payments made on the same date or payments exceeding the contract agreement can be signs of fraudulent activity.
Payments Made During Non-Business Hours
Payments made outside of normal business hours, such as late at night or on weekends, may also be a warning sign of fraudulent activity.
Deviations in Vendor Information
Deviations in vendor information, such as variation in delivery and payment addresses, use of the same purchase order in invoices, or non-sequential invoice numbers, can also be signs of vendor fraud.
By staying vigilant and closely monitoring payment activity, organizations can better detect and prevent vendor fraud. In addition to these warning signs, companies should also consider implementing robust internal controls and utilizing technology, such as AP automation software, to help detect and prevent fraudulent activity.
How to Stop Vendor Fraud
If an accounts payable team identifies vendor fraud, it’s important to act quickly. The following tips can help you get started:
- Work quickly to understand the breadth and depth of the fraud: Once fraud has been detected, it’s important to act quickly to assess its extent and identify the source to help prevent further instances of fraud and minimize any financial losses.
- Reach out to the bank that processed the payment: Depending on the timing, the bank that processed the fraudulent payment may be able to help recover the funds. It’s important to reach out to the bank as soon as possible to explore this option.
- Alert the affected vendor: Notify the affected vendor as soon as possible if their payment information or email account has been compromised, or if a bad actor is impersonating them to their client base. This helps the vendor take steps to protect their own business.
However, prevention is the real key when it comes to stopping fraud. In the following sections, we outline various methods for stopping vendor fraud before it happens.
Cross-Reference Payment Information
By cross-referencing payment information with a payment order, AP teams will ensure that they send money to the correct account and avoid sending funds to fraudulent accounts. This requires establishing robust internal controls and utilizing technology, such as an AP automation solution.
Teams should also cross-reference vendor payment information history to detect when payment information has been updated to a new account. This can be a red flag that prompts AP teams to further investigate potential cases of fraud, giving them more time to assess the situation and minimize their likelihood of falling victim to vendor fraud.
Validate Email Addresses
To prevent BEC attacks, organizations should take steps to verify that email addresses actually belong to their vendors. One effective way to do this is to establish a process for validating email addresses. This involves verifying the email address with the vendor directly, using a third-party verification service, or implementing software that helps detect anomalies in email patterns. Organizations should also provide regular training to their employees on how to recognize and avoid BEC attacks.
Have a Process for Enrolling Vendors
Carefully screening and verifying vendor information during the enrollment process helps businesses ensure that only legitimate vendors are approved and that their payment information is accurate.
One effective way to do this is to utilize AP automation software, such as MineralTree. Our platform offers automatic notifications to AP staff whenever vendor payment information is updated. This enables teams to quickly confirm with the vendor if they see a suspicious change made to their account information, such as a new bank account or payment address.
Maintain a Database of Vendors
Having a database of vendors helps teams identify if a payment request is coming from a legitimate vendor or if it is a fraudulent attempt to steal funds. If there are any changes to a vendor’s payment information, such as a new bank account or payment address, the organization can confirm the change with the vendor before making any payments. This helps minimize the risk of financial losses.
In addition to maintaining a database of vendors, organizations should also establish protocols for regularly reviewing and updating vendor information. This includes conducting background checks on new vendors, verifying their tax identification numbers, and keeping track of their payment history.
Enroll Vendors in Virtual Card
Virtual cards use a unique one-time code that can only be charged for a designated amount. This makes them one of the most secure forms of payment available. Virtual card payments are also more convenient than traditional payment methods like checks, which can be lost, stolen, or tampered with.
By enrolling vendors in virtual card programs, organizations limit the risks associated with traditional payment methods. They can also better track and control their payments, as virtual card transactions are usually automatically recorded in the organization’s financial system.
Segregate Duties in Accounts Payable
If one person holds both the power to approve invoices and authorize payments, they are in a position to make fraudulent payments without anyone else cross-checking their work. By segregating duties in AP, organizations ensure that multiple people are involved in the payment process and that there are checks and balances in place to prevent fraud.
Segregation of duties is achieved by assigning different roles and responsibilities to different individuals. For example, one person could be responsible for approving invoices, while another person is responsible for authorizing payments. Alternatively, an organization could establish a system of checks and balances, where multiple individuals are required to review and approve payments before they are processed.
ACH Verification Services
ACH verification services verify vendor bank account information, including the account holder’s name, address, and other important information. This helps ensure that payments are being made to the correct account and that the account information is accurate.
ACH verification services also help organizations identify potential fraud by flagging discrepancies or inconsistencies in vendor payment information. For example, if a vendor’s payment information suddenly changes, or if the payment information doesn’t match the vendor’s records.
More information on ACH verification services is available from NACHA.
Matching vendor invoices against POs allows organizations to ensure that the goods or services they are being billed for have actually been received and are in line with the terms of the agreement. This involves tracking POs and linking them to vendor invoices. When a vendor invoice is received, the team compares it against the corresponding PO to ensure that the amounts and quantities match up. If there are any discrepancies, the team can investigate further before authorizing payment.
However, PO matching is a time-consuming process, particularly for organizations that handle a large volume of invoices. This is where AP automation software like MineralTree’s platform help streamline the process and make it more efficient. The platform automatically matches invoices against POs, flag any discrepancies, and route them for further review and approval.
How AP Automation Helps Companies Prevent Vendor Fraud
By enabling direct submission of invoices to the AP system, limiting access to invoices, and providing internal controls, AP automation makes it harder for fraudsters to manipulate payments. In addition to limiting access to invoices, AP automation systems also enable segregation of duty to limit access to sensitive payment information. This minimizes the likelihood of fraud by ensuring that no single person has unchecked control over the AP process.
Another benefit of AP automation is that it provides a record of activities, like when a user approves or authorizes payments, and updates vendor account information. This added visibility and accountability deters internal parties from misusing funds, as they know that their actions are being tracked and recorded. MineralTree’s AP automation platform offers all of these features and more, making it an effective solution for organizations to improve their AP process and prevent fraud.
By understanding the most common types of vendor fraud and implementing measures to prevent and detect scam attempts, organizations can protect themselves from financial loss and reputational damage.
If you’re looking to improve your organization’s AP process and prevent vendor fraud, MineralTree can help. Our AP automation platform offers a wide range of features designed to streamline your AP process and minimize the risk of fraud. Request a free demo today to learn more.