Vendor fraud is commonly used by scammers to steal from businesses of all sizes. It often involves faking vendor information to redirect payments from the accounts payable (AP) team to a fraudster’s account. Whether committed by an internal employee, an outside third-party, or a combination of the two, the goal of vendor fraud is ultimately the same: to steal funds. Let’s take a closer look.
Key takeaways
- Vendor fraud should be a critical concern for financial departments as it can lead to high costs, slowed operations, and reduced customer and vendor trust.
- Understanding the common attack types and signs of vendor fraud are key to maintaining secure financial transactions.
- AP automation can help curb vendor fraud by enabling direct submission of invoices to the AP system, limiting access to invoices, and providing internal controls.
What is vendor fraud?
Vendor fraud is a type of financial fraud where the perpetrator deceives an organization into making payments to fraudulent accounts. Fraudsters typically accomplish this by faking vendor invoices or recipient payment information.
This type of fraud is committed by anyone with access to vendor or payment information, including internal employees, staff from a vendor’s organization, or outside third parties who have stolen relevant account information. This last group is most commonly responsible for committing vendor fraud, most often by swapping out the vendor’s payment information with their own to redirect then steal funds.
These external bad actors can obtain necessary payment information through a variety of tactics, including: social engineering, hacking, or phishing scams. Successful vendor fraud attempts can be devastating for organizations, causing significant financial losses and reputational damage. Therefore, it is crucial for businesses to implement effective measures to prevent and detect vendor fraud before it’s too late.
Examples of common vendor fraud types
Understanding the common types of vendor fraud helps organizations better protect themselves from falling victim to similar schemes. Here are just a few examples of vendor fraud to look out for.
1. Vendor imposter fraud
Vendor imposter fraud is when someone poses as a legitimate vendor to mislead a company into making fraudlent payments. This can be done through fake or forged invoices, or altered contact details, to reroute payments to the fraudelent actor rather than the true vendor. This type of vendor fraud can lead to significant financial losses for the company so it’s critical to put secure processes in place to ensure accurate vendor and payment information is being used in all financial transactions.
2. Check tampering
Check tampering is another common type of vendor fraud where a fraudster alters or forges checks to divert funds to their account. The fraudster may steal a check from the organization or intercept a check that is meant for a legitimate vendor, then alter the payee information or amount on the check.
Alternatively, the fraudster may create a fake check using stolen or fabricated information. In some cases, the fraudster may also intercept a check and then deposit it into their own account before it reaches the intended recipient. According to an AFP report, checks are the most vulnerable to fraud with roughly 65% of respondents saying their organization experienced check fraud.
3. BEC emails
Business email compromise (BEC) emails are a type of cybercrime where a fraudster gains access to an organization’s email system and then impersonates a senior executive, vendor, or supplier to trick an employee into transferring funds or providing sensitive information. This type of fraud often involves social engineering tactics, such as creating fake email addresses or domain names that appear to be legitimate.
One common form of BEC fraud involves a fraudster impersonating a vendor and requesting a change to their payment information. The fraudster may ask the organization to update their payment information to a new account, which is actually controlled by the fraudster, leading to funds being transferred to the fraudulent account.
4. Overbilling
Overbilling happens when a vendor attempts to manipulate invoicing to charge an organization more than the previously agreed amount for a particular good or service. When there are gaps in the procurement process like reduced human oversight or otherwise ineffective internal controls, it provides fraudulent vendors with an opportunity to take advantage of discrepancies in financial data that aren’t likely to be caught immediately. This type of fraud can be done by either inflating costs on invoices or submitting duplicate or fake charges.
5. Bid rigging or price fixing
Bid rigging typically involves multiple vendors working together to manipulate the bidding process for contracts. This collusion allows them to effectively set the price by submitting fraudulent high or low bids to highlight a particular bid over others. Vendors may take turns on who wins the contract, leading to stifled competition and often inflated contract prices.
6. Kickbacks
A kickback is a payment made to an organization’s employee, typically a key decision-maker, in exchange for things like awarded contracts. These payments are usually made in private as hidden bribes and are aimed at persuading the employee to a particular vendor. This stifles fair competition and leads to higher prices, in addition to laying the foundation for corrupt business practices overall. Preventing these attacks can be difficult and often requires thorough transparency and that stringent policies be put in place to monitor transactions and employee relationships.
Who is at the highest risk for vendor fraud?
Vendor fraud can happen to any organization, but small and medium-sized organizations are particularly vulnerable. These organizations often have less robust security measures in place, making it easier for fraudsters to obtain the information they need to steal funds. Additionally, small teams often rely heavily on a few employees to execute the vendor and payment functions, which can lead to overburdened staff and increases in human error. Smaller teams can also lack the resources to segregate AP duties as typically recommended. This creates opportunities for individuals to manipulate payments and records without getting caught.
Larger organizations have more resources and established protocols in place to minimize the risk of fraud. These can include: risk assessments, internal controls, and trained staff to detect and prevent fraud. As a result, fraudsters tend to view larger organizations as harder targets but it doesn’t mean they’re totally in the clear.
It’s important to note that vendor fraud can still occur at large enterprises. Even with robust internal controls and security measures, fraudsters constantly find new ways to exploit weaknesses in security systems and processes. That’s why it’s important for all organizations, regardless of size, to remain vigilant and proactive in their efforts to prevent and detect vendor fraud.
What are the signs of vendor fraud?
Identifying vendor fraud can be challenging, but there are certain warning signs that organizations should look out for. Here are some common red flags:
Payments that deviate from normal procedures
Any payment that is significantly different from past payment history, such as payments made to a new vendor or a vendor not previously used, may be a warning sign.
Low dollar inconsistencies
Fraudsters often make small adjustments to payment amounts to avoid detection. Look for payments that are slightly different from what is expected, as these small inconsistencies may add up over time.
Duplicate payments
Duplicate payments made on the same date or payments exceeding the contract agreement can be signs of fraudulent activity.
Payments made during non-business hours
Payments made outside of normal business hours, such as late at night or on weekends, may also be a warning sign of fraudulent activity.
Deviations in vendor information
Deviations in vendor information, such as variation in delivery and payment addresses, use of the same purchase order in invoices, or non-sequential invoice numbers, can also be signs of vendor fraud.
By staying vigilant and closely monitoring payment activity, organizations can better detect and prevent vendor fraud. In addition to these warning signs, companies should also consider implementing robust internal controls and utilizing technology, such as AP automation software, to help detect and prevent fraudulent activity.
How to prevent vendor fraud
If an accounts payable team identifies vendor fraud, it’s important to act quickly. The following tips can help you get started:
- Work quickly to understand the breadth and depth of the fraud: Once fraud has been detected, it’s important to act quickly to assess its extent and identify the source to help prevent further instances of fraud and minimize any financial losses.
- Reach out to the bank that processed the payment: Depending on the timing, the bank that processed the fraudulent payment may be able to help recover the funds. It’s important to reach out to the bank as soon as possible to explore this option.
- Alert the affected vendor: Notify the affected vendor as soon as possible if their payment information or email account has been compromised, or if a bad actor is impersonating them to their client base. This helps the vendor take steps to protect their own business.
However, prevention is the real key when it comes to stopping fraud. In the following sections, we outline various methods for stopping vendor fraud before it happens.
Cross-reference payment information
By cross-referencing payment information with a payment order, AP teams will ensure that they send money to the correct account and avoid sending funds to fraudulent accounts. This requires establishing robust internal controls and utilizing technology, such as an AP automation solution.
Teams should also cross-reference vendor payment information history to detect when payment information has been updated to a new account. This can be a red flag that prompts AP teams to further investigate potential cases of fraud, giving them more time to assess the situation and minimize their likelihood of falling victim to vendor fraud.
Validate email addresses
To prevent BEC attacks, organizations should take steps to verify that email addresses actually belong to their vendors. One effective way to do this is to establish a process for validating email addresses. This involves verifying the email address with the vendor directly, using a third-party verification service, or implementing software that helps detect anomalies in email patterns. Organizations should also provide regular training to their employees on how to recognize and avoid BEC attacks.
Have a process for enrolling vendors
Carefully screening and verifying vendor information during the enrollment process helps businesses ensure that only legitimate vendors are approved and that their payment information is accurate.
One effective way to do this is to utilize AP automation software, such as MineralTree. Our platform offers automatic notifications to AP staff whenever vendor payment information is updated. This enables teams to quickly confirm with the vendor if they see a suspicious change made to their account information, such as a new bank account or payment address.
Maintain a database of vendors
Having a database of vendors helps teams identify if a payment request is coming from a legitimate vendor or if it is a fraudulent attempt to steal funds. If there are any changes to a vendor’s payment information, such as a new bank account or payment address, the organization can confirm the change with the vendor before making any payments. This helps minimize the risk of financial losses.
In addition to maintaining a database of vendors, organizations should also establish protocols for regularly reviewing and updating vendor information. This includes conducting background checks on new vendors, verifying their tax identification numbers, and keeping track of their payment history.
Enroll vendors in virtual card
Virtual cards use a unique one-time code that can only be charged for a designated amount. This makes them one of the most secure forms of payment available. Virtual card payments are also more convenient than traditional payment methods like checks, which can be lost, stolen, or tampered with.
By enrolling vendors in virtual card programs, organizations limit the risks associated with traditional payment methods. They can also better track and control their payments, as virtual card transactions are usually automatically recorded in the organization’s financial system.
Segregate duties in accounts payable
If one person holds both the power to approve invoices and authorize payments, they are in a position to make fraudulent payments without anyone else cross-checking their work. By segregating duties in AP, organizations ensure that multiple people are involved in the payment process and that there are checks and balances in place to prevent fraud.
Segregation of duties is achieved by assigning different roles and responsibilities to different individuals. For example, one person could be responsible for approving invoices, while another person is responsible for authorizing payments. Alternatively, an organization could establish a system of checks and balances, where multiple individuals are required to review and approve payments before they are processed.
ACH verification services
ACH verification services verify vendor bank account information, including the account holder’s name, address, and other important information. This helps ensure that payments are being made to the correct account and that the account information is accurate.
ACH verification services also help organizations identify potential fraud by flagging discrepancies or inconsistencies in vendor payment information. For example, if a vendor’s payment information suddenly changes, or if the payment information doesn’t match the vendor’s records.
More information on ACH verification services is available from NACHA.
PO matching
Matching vendor invoices against POs allows organizations to ensure that the goods or services they are being billed for have actually been received and are in line with the terms of the agreement. This involves tracking POs and linking them to vendor invoices. When a vendor invoice is received, the team compares it against the corresponding PO to ensure that the amounts and quantities match up. If there are any discrepancies, the team can investigate further before authorizing payment.
However, PO matching is a time-consuming process, particularly for organizations that handle a large volume of invoices. This is where AP automation software like MineralTree’s platform help streamline the process and make it more efficient. The platform automatically matches invoices against POs, flag any discrepancies, and route them for further review and approval.
Employee support
Employee education and support are going to be among an organization’s strongest defenses against vendor fraud. Awareness and ongoing education is the first step to not only stopping but preventing fraud, and should be considered an integral piece of the fraud prevention plan. Equipped with the right information, employees can better understand how to avoid falling into common vendor fraud schemes and more accurately identify potential risks.
Additionally, consider setting up support systems like an employee hotline or confidential reporting system, which creates a safe space for employees to anonymously report irregularities.
How AP automation helps companies prevent vendor fraud
By enabling direct submission of invoices to the AP system, limiting access to invoices, and providing internal controls, AP automation makes it harder for fraudsters to manipulate payments. In addition to limiting access to invoices, AP automation systems also enable segregation of duty to limit access to sensitive payment information. This minimizes the likelihood of fraud by ensuring that no single person has unchecked control over the AP process.
Another benefit of AP automation is that it provides a record of activities, like when a user approves or authorizes payments, and updates vendor account information. This added visibility and accountability deters internal parties from misusing funds, as they know that their actions are being tracked and recorded. MineralTree’s AP automation platform offers all of these features and more, making it an effective solution for organizations to improve their AP process and prevent fraud.
Final thoughts
By understanding the most common types of vendor fraud and implementing measures to prevent and detect scam attempts, organizations can protect themselves from financial loss and reputational damage.
If you’re looking to improve your organization’s AP process and prevent vendor fraud, MineralTree can help. Our AP automation platform offers a wide range of features designed to streamline your AP process and minimize the risk of fraud. Request a free demo today to learn more.
Frequently asked questions about vendor fraud
TL;DR? If you’re short on time the FAQs below provide a quick snapshot of what you need to know about vendor fraud.
How can companies avoid vendor fraud?
Companies can avoid vendor fraud by having robust internal controls in place. Additioanlly, AP automation tools can cross-reference supplier information, so that teams can avoid human errors that may make companies more suceptible to fraud attempts.
What is an invoice scam?
Invoice fraud or an invoice scam is when a bad actor sends a company an invoice for payment, with the goal of receiving funds for services not performed. Fraudsters will use several tactics to secure payments such as sending look-a-like invoices or sending fake emails.