Business Email Compromise and Vendor Information Change
Typically we deal directly with internal fraud: fraud committed against an organization by its own employees. Today, we want to alert you to something a bit different.
This case study is urgent. We are seeing frauds like it too often, and it is so preventable. We’re talking about fast fraud: hundreds of thousands of dollars gone in seconds. You may have heard the term Business Email Compromise or “Man in the Middle Attack”. MITM attacks interrupt two parties who believe they are communicating with each other: for today’s purposes, an organization and their vendors. Often you picture phishing schemes or high-tech hacking strategies involving sophisticated software. And while those are valid examples, we have repeatedly seen much more simple MITM attacks as fraudsters use basic social engineering to psychologically manipulate employees. Through phone calls or emails that convey urgency, fear, or similar emotions, innocent employees can be led into revealing sensitive information or can be convinced to make changes that allow a fraudster to get large amounts of money fast.
Let's look briefly at your process for Vendor Information Change. We find deep vulnerabilities in this area. If your business pays money to any vendors ever, you need to be doing these things. Fraud involving Vendor Information Change happens so swiftly, has incredibly high-dollar consequences, and because it often utilizes an unsuspecting employee from your organization is often not covered under insurance.
Let's look at a case study we worked with recently.
The victim organization received an email from someone they believed to be an established vendor.
The attacker used an email address very close to the valid vendor’s address.
The attacker requested a change in payment and provided a new bank account and routing number.
The employee made the change.
The organization made a vendor payment to the new account.
Shortly thereafter, the actual vendor called to ask why they had never been paid.
The victim organization realized they had been tricked. In one routine transaction, they sent a vendor payment of half a million dollars to a criminal. Half a million dollars gone in one moment because of one email exchange.
So, what can we do to stop this?
1) New Vendor Establishment Process
When establishing new vendors, be sure your procedures are thorough, documented, and taught to employees. DFG provides a complete New Vendor Establishment form that includes vetting and validation that extends far beyond simply accepting a W9. Starting your vendor relationships with strong documentation prepares your organization and employees to expect and uphold this level of validation throughout the course of your business together.
*For a Sample New Vendor Establishment Form, Contact Us
2) Vendor Information Change
At DFG we expect vendor changes to be documented in writing through a specific form. If you take one lesson away today, let it be this: use a Vendor Information Change Code. This code MUST be provided by the vendor in order to make changes.
To do this, provide a New Vendor Information packet for vendors to keep on file. Include a
change code discreetly somewhere in these papers.
If they reach out to make changes to their account information, call their attention to this code and ask them to read it to you to confirm their identity. They may have to search and shuffle papers a bit, but they should be able to tell you this code. This is how you know you are speaking directly to your real vendor. If you are speaking with a fraudster, not only will they have zero knowledge of the code, but if you mention the word “code” they realize your organization is not an easy target. It doubles as an alarm system sign in your window. You are communicating “We check our information. We are diligent.”
If your vendor can’t find their code, have other detailed procedures in place for them to verify their identity. Offer to mail another one to the address you already have on file. It may feel excessive, but remember, hundreds of thousands of dollars in one transaction if you’re speaking with the wrong person.
3) Anti-Fraud Education
In 2019 the BBB discovered that before training, 30% of employees were likely to click on malicious links or disclose sensitive information to outside parties. After training on social engineering and MITM attacks, only 2% of employees were likely to respond to these types of suspicious communication. Teach your employees about this common type of fraud. Give them a healthy skepticism when they are dealing with sensitive information.
You can teach quick, simple tricks like hovering over the contact information of an email (to verify the actual address).
Make sure vendor emails match to the letter and punctuation of the address you have on file.
Teach your organization the common vocabulary of fraudsters, “request follow up, urgent, important” or simply being asked “Are you at your desk?” as a method to move an employee from email to a phone call where they can move more quickly through the fraud.
In the same 2019 study research found that if an employee responded to the initial email sent by a fraudster, they were 10x more likely to send money out of the organization. Give your employees the resources to recognize this type of attack.
When compared to the amount of loss you can suffer, these controls are simple, effective ways you can protect your organization. For education, share this article or play this video for the members of your organization. Immediately raise awareness, that healthy skepticism, among your team.
Empowering small businesses to develop strong Anti-Fraud Programs is our mission. We provide consultations to design, evaluate, and improve your anti-fraud program. You can also get a step-by-step guide to design a program that can be tailored for your specific needs by purchasing Steve Dawson’s book, Internal Control/Anti-Fraud Program Design for the Small Business.
If you think there may already be fraudulent activity in your company, contact us today through our website.