Cybercriminals combine technology and psychology in their sleight-of-hand use of email to compromise staff and redirect payments. The sophistication goes up from direct business email compromise (BEC) to vendor email compromise (VEC). In the former, the attack is directly on you, your staff or even your CFO or CEO. Along with specific internal IT tools, staff awareness training is vital and helpful in spotting and avoiding BEC attempts.
VEC detection can be more challenging. VEC is a multi-step scheme and can be much harder to defend against because the criminals compromise your vendor first. The perpetrators study your vendor’s communication and billing patterns before emailing you. Thanks to their study of intercepted email communications, the perpetrators can pose convincingly as your vendor.
They send a vendor email that looks and sounds like every other email. It might include an invoice that looks familiar, but the bank account information differs. Or the email requests a change of the vendor’s bank account information to its new bank. Even a veteran AP staffer may follow the “vendor” instructions.
Controls, Controls, Controls
It is vital to consistently follow internal controls in managing vendor information, especially bank account information. A critical part of a protection strategy is to have senior management fully onboard in support of scrupulous control compliance by staff.
One common tipoff of BEC and VEC scams is urgency. Haste is a fraud enabler. Of course, situations sometimes necessitate swift action that normal controls might impede. You must have adequate compensating controls, and senior management must adhere and insist that staff adhere to them. In the case of an unusual, urgent payment, skipping verification of authorization and vendor bank account change could cost your organization substantially.
The Achilles Heel: Email
Email lacks security. It is an ancient technology. Though email is excellent for communication, it was never designed to be a secure communication technology. And while there are things your IT department can and hopefully has done to detect and prevent or flag threats, there’s a limit to what IT can do to retrofit a fundamentally insecure technology.
Even the FBI has been compromised. A criminal hacked the FBI email server and sent tens of thousands of bogus email “alerts.”
The disturbing thing was that the fake emails appeared to come from a legitimate FBI email address, one ending in “@ic.fbi.gov.” For those who are already savvy enough to look at the sender’s underlying email address, this kind of imitation could easily slip by.
Building awareness through training and creating a “cautious culture” is nice in theory but can fail in daily, routine practice. Companies should consider methods other than email to transmit essential information between themselves and their vendors.
A Better Alternative
This is where secure, online vendor onboarding comes in. Vendor onboarding and critical vendor communications via a secure online service bypasses email for collecting, verifying and managing sensitive vendor information.
A self-service supplier portal streamlines the vendor onboarding process, providing suppliers with a secure and intuitive interface to submit their information, documentation and certifications. Along with avoiding the insecurity of email, submitting information through a portal eliminates the need for manual paperwork and accelerates the vendor approval process. And a good vendor onboarding portal automatically manages verifications including sanction list checks, tax information matching, and most critically, bank account verification.
Vendors use a self-service portal to update their profile information, including contact details, banking information, tax information and any certifications. Providing suppliers with a portal to manage their profile facilitates up-to-date and accurate vendor data while reducing risk.
A self-service supplier portal establishes an efficient and transparent communication channel between parties, allowing them to exchange messages, submit inquiries, receive updates and digitally collaborate to resolve issues in a secure environment.
Vendor information management and communications are critical to the supply chain. By implementing a self-service portal for vendor interaction, information exchange and process automation, businesses can avoid email exploitation by cybercriminals, improving communication and fostering trust and strong vendor relationships.
Learn how VendorInfo can remove email from vendor information management to help you protect against fraud, handle tax and sanction compliance and automate your vendor bank account verification process–contact us to learn how.
