Impostor fraud. Business email compromise. Supply chain fraud. Call it whatever you’d like, but the reality is this: Criminals are finding ways to impersonate company execs or trusted vendors and steal employers’ cash with alarming ease.
Here’s just one example: A fraudster hacks into a company vendor’s email, reads back and forth emails, learns about the vendor’s invoicing process and then makes a move on a vulnerable staffer such as an A/P clerk.
Because the fraudster is familiar with the company’s processes, he doesn’t have much trouble convincing the A/P staffer that the vendor’s payment instructions have changed and getting money diverted into his own account.
Authorities estimate impostor fraud costs U.S. businesses an alarming $789.9 million annually. And that’s probably a low-ball figure, considering this type of fraud is often under-reported.
After being the target of impostor fraud, Andrew Ubel, the chief intellectual property counsel for Valspar Corporation, worked with his bank to create a safer, more secure system where vendor accounts couldn’t be changed and exploited by fraudsters.
At the 2015 Association for Financial Professionals Conference in Denver, Ubel hosted a presentation on the steps his company and its bank took to prevent fraud.
No value in account numbers
Ubel saw a number of data field and automatic processes where vendors’ account numbers were at risk — and he didn’t see the value in having those account number in the vendor master file to begin with.
So the company identified every place in the system that stored vendor bank account numbers, analyzed the employees who had access to those fields and data, and conducted a penetration test to check the security.
What the company found: There were a number of username/passwords in the database that could potentially get access to payments as well as several processes where this could take place. Because the company’s payments were encrypted, a protection A/P assured Ubel made the process extremely safe, fraudulent payments would’ve looked like standard vendor payments and could’ve easily been missed.
To fix this vulnerability, Ubel worked with his banking institution to remove the risk. The company deleted all vendor bank account numbers from its system. In place of the account numbers, vendor identification numbers — numbers that weren’t linked to bank account info — were created and A/P sent the bank secure payment files.
Back in the bank’s hands
Thanks to the change, the company’s bank — not the company’s employees — was then charged with handling every change to a vendor’s account.
When there’s a change, the bank put a number of safeguards in place. First, the bank will confirm the vendor’s identity by requesting the special vendor ID. Next, the bank sends a physical letter to vendor about the change. From there, the vendor must visit a secure portal where the bank makes the change itself.
Thanks to these procedure changes, the company has virtually eliminated its chances of falling victim to the type of impostor fraud that is wreaking havoc on so many of its peers.
Adapted from “Valspar Tackles Impostor Fraud Head On,” by Andrew Ubel (Valspar Corporation) and Angela Melzark (Wells Fargo), as presented at the 2015 Association for Financial Professionals Conference in Denver.