Appearances and Vendor Payments
One of the most iconic scenes in a Hollywood heist movie comes near the end of Ocean’s Eleven. The “team” minus Danny Ocean lean against the balustrade in front of the Bellagio on the Las Vegas strip, quietly gazing at the fountains as Debussy’s beautiful Claire de Lune plays. Then one by one, they depart in different directions.
In the highly entertaining film, these guys have just perpetrated a heist of historic proportions for Vegas. The fascinating thing is how they did it. A critical part of the plan was the creation of illusion. Spoiler alert—the team built a replica of the targeted casino vault and filmed it. Then, tapping into the casino’s computer system, they replace the live video feed from the actual vault with the video of the replica vault.
Looking at the monitors, the security team thinks all is well in the vault, failing to realize that they are not viewing the actual vault. There are a few other similar sleights of hand that, in the end, enable Ocean and his friends to walk out with millions of dollars under the nose of the casino owner.
Illusion and Disillusion in Accounts Payable Fraud
Illusion is fun in the movies or at a magic show. But illusion is bad news for accounts payable teams trying to protect company assets, and cybercriminals are masters of illusion. They create images and messaging to give the semblance that they are someone else: a vendor, an executive. Their success lies in fooling companies into sending payments to the wrong account.
Criminals go where the money is, and much money is now in the digital realm. Their primary tool for breaking-and-entering is business email compromise or BEC. BEC is how fraud perpetrators create illusions that induce employees to act based on misplaced trust.
In Ocean’s Eleven, the vault looked like the vault. In BEC, an email appears to be a legitimate email from a legitimate party. The email may have come from an actual vendor with what seems to be a legitimate request because the criminals have hacked your vendor. But, it’s an illusion that can cost your company.
Battling BEC and Beyond
The proper controls consistently followed, along with staff training and awareness, provide protection, as do IT security practices, such as multi-factor authentication and good password discipline. In addition, it’s vital to know what to look out for in email “from” lines and links and be aware of psychological tricks in appeals or urgent orders.
Prevention requires that staff sustain vigilance and keep up with evolving threats. For example, scammers now have devised another illusion as more people hover over URLs to check for the actual name (without misspellings) and look for a security-lock icon. The new threat is called BitB for “browser in the browser” and is a method to hide some of the usual telltale signs of a bogus login page. Meanwhile, a phone call with a deep-faked voice of a CEO led to a $243,000 transfer to a fraudulent account.
Accounts Payable Vigilance
In some cyber-attacks, sewing distrust is the goal (think state-sponsored disinformation). But of course, in many more cases, the goal is simply profit—to get organizations to send money to the criminals’ accounts.
Vigilance, encouraged by policy and periodic training, is essential and applies not just to email interactions but also to ensuring consistent compliance with internal controls, even and especially when the CEO’s email stresses the urgency of sending a wire payment!
A Safer Method: A Secure Vendor Portal
A best practice in vendor information management is to avoid using email for sending or receiving sensitive information, such as in gathering a vendor’s tax and bank information. Instead, secure vendor portals are a much safer way to collect the necessary data. And some vendor portal services provide the additional advantage of handling verification and compliance of critical vendor information, from tax identification to bank account number and owner verification.
It’s essential to become educated on the threats and review policies and procedures to ensure you are keeping up. Staff training and awareness are critical. And organizations should eliminate the use of email to transmit sensitive information.
To find out how VendorInfo can help secure, confirm, and validate your vendor information and address compliance issues related to vendors, contact us.