Help Your Vendors Safeguard Your Company from Cyberattacks

October 06, 2023

When it comes to phishing, scams and other types of fraud, bad actors play their villainous roles to near-perfection — and too often, they get a fat paycheck for your trouble. One of the lesser-known avenues for a cyberattack is through what most companies consider trusted allies: the vendors they do business with. 

Creating a comprehensive vendor management program and keeping it current can help safeguard against these dangerous and costly attacks. By working closely with vendors and trusted banking advisors, you can create a strong first line of defense to stop fraud before schemes take hold..

Verification is the unifying factor

Those at the highest risk of being defrauded often believe they’re safe. Vendors may not know they’re opening the door to scammers. But opportunistic thieves look for vulnerabilities, then patiently wait until they can attack. 

A commonly known crime some criminals use is check-washing, removing and altering information from a paper payment. The modern version of this scheme involves recreating checks intended for the vendors, using the same dollar amount and serial numbers, but having the check payable to the fraudsters themselves. Enrolling in Payee Positive Pay1 may offer a strong way to mitigate all types of check fraud. With this tool, companies provide the bank with a list of checks written. The bank compares presented checks to the list for accuracy before paying them.

Another typical scenario involves bogus invoicing schemes: Fraudsters monitor company or vendor email and discover ways to submit a fraudulent invoice. A lack of proper verification can allow payment of the invoice. 

How to protect yourself? Due diligence can provide a unified line of defense to spot tell-tale signs of fraud, such as two checks or invoices with the same number or invoices that suddenly crop up from a previously inactive vendor. 

Implementing vendor management protocols

Whether your company is large or small, a successful vendor management system can guard against cyberattacks. Understanding each vendor relationship can ensure their validity and vet their fraud protection measures. Your plan may include:

  1. Centralized vendor management: One point of contact can ensure you are monitoring all vendors in your company’s ecosystem. Depending on your company’s size, this may be part of one individual’s job, or it may be an entire department. What’s most crucial is to avoid vendor management being “catch as catch can.” When each individual or department manages their own vendor relationships, you risk having no one addressing the big picture — and fraud can slip through the cracks.

  2. Segregation of duties: This standard financial management tool applies to fraud prevention, too. The same person should not receive an invoice for payment and cut the check or issue the transfer order. Similarly, the same employee should not onboard and pay a vendor. These safeguards make sure teams have each other’s back in terms of monitoring financial processes.

  3. Vendor classification: A well-thought-out framework can enable you to track the risk level of vendors and monitor those you frequently use versus those that are inactive. Vendor management systems can categorize vendors into low-, medium- and high-risk categories for your business. Then, you can establish a set of procedures to deal with each. Be sure to review and update these classifications periodically.

  4. Strong onboarding policies: You may wish to require vendor management involvement during vendor selection and payment processes. When you onboard vendors, it’s smart to engage the company legal department or counsel to review and validate the vendor contract and then forward a fully signed contract to the bank for payment setup, with W-9 information checked for accuracy. 

  5. Consistent vendor management: Again, consistency matters. Reviewing vendor accounts daily can identify potential concerns early, such as unexpected or repeated activity. Ensure that the company team understands how to document appropriate processes and consistently uses them. And it’s essential to stay vigilant with record-keeping. For example: Review each payment, especially new vendor payment requests or any unusual request from a board member. One major red flag is a request to change the payee information for a vendor — the key component of business email compromise (BEC). In many cases, even if your company has a callback process to confirm details, the fraudster will try to trick the victim into calling a number controlled by the fraudster. It is critical that an outbound call is made to a number on file for the vendor, and a known contact confirms the change, before modifying any payment instructions.

Bank support on many levels

Connect with a local relationship officer to learn more about how our expert bankers can help protect your community management company from fraud with tools for stronger vendor oversight and management. 

1.    Requires enrollment in Business Online Banking. Refer to disclosures provided at account opening, the Business Schedule of Fees, and Pro Forma for additional information.