Corporate Cybersecurity Insights: Vendor Payment Diversion Scams

By Keiter CPAs

Corporate Cybersecurity Insights: Vendor Payment Diversion Scams

Six tips to identify and prevent vendor impersonation and other scams

Scammers are more sophisticated in their attempts to defraud businesses. One of the most common scams is where an imposter pretends to be a vendor of a trusted company and sends new invoice payment instructions. In 2020, The National Automated Clearing House Association (Nacha), reported 75,000 vendor impersonation schemes which resulted in losses of over $2.7 billion.

Example of a Vendor Impersonation Scam

A hacker gains access to ABC Services Company’s system and Ann Brown, an employee’s email account. The hacker uses Ann Brown’s email to send an email to ABC Services Company’s client, Smith Corp, informing them that invoice payment instructions have changed. The hacker directs Smith Corp to wire all future payments to a different bank in Sweden.

Smith Corp directs invoice payments to the new bank which total over $65,000.

Smith Corp discovers the fraud when an ABC Services Company employee contacts them regarding unpaid invoices.

This is one example. Other variations of the vendor impersonation payment scam could include directions to update the bank account and routing number. Responding to these types of attacks in a timely manner can be particularly difficult because there can be significant delays in the detection of the scam. The fraudulent act is not usually revealed until a company’s client sends a reminder about a payment that is due.

Steps your company can take to avoid payment and phishing scams

1.Train Your Employees

Your best defense is an informed workforce.

  • Sharpen your employees’ awareness of cyber threats and help them learn how they can play a role in defending your company.
  • Train them to be vigilant and to question any unusual requests.
  • Provide an employee education and awareness program to keep employees up to date on the latest fraud techniques and threats.
  • Frequent employee training on how to recognize malicious actors is an essential piece of any cybersecurity plan.

2. Verify the Request

If you receive an email or phone call requesting a change in payment instructions,

  • Verify the request with the vendor using a known phone number or email address.
  • Do not use the contact information provided in the email.

3. Check the Invoice

Scammers often create invoices that look similar to invoices your company is already used to receiving. They may include names and logos from the vendor they are impersonating. Scammers know that when the invoice is for something critical, like keeping your website up and running, you may pay first and ask questions later. However, if you pay, you may not retrieve those funds. It is important to set up a review process for all invoices your company receives. 

  • Match the invoices submitted by a vendor against financial documents like purchase orders and payment receipts.
  • Validate any payment requests received via email. Call the sender at a phone number known to your company and verify the request.

4. Use Secure Payment Methods

Scammers use untraceable payment methods. They often want payment through wire transfers, reloadable cards, or gift cards that are nearly impossible to reverse or track. Use secure payment methods that can be traced and reversed if necessary.

5. Establish Effective Internal Controls

To effectively combat vendor fraud, organizations need to establish effective internal controls.

  • Segregate duties so that no one individual is in a position to control all parts of a business transaction.
  • Implement dual controls by requiring two users to be a part of a transaction. Vendor fraud thrives in organizations where just one employee vets vendor invoices.
  • Conduct regular audits of both your business transactions and your IT infrastructure.
  • Perform periodic reviews of changes made to the vendor master file by someone that is independent of the vendor setup process.

6. Be Aware of Common Scams

Scammers regularly find new ways to collect your financial data.

  • Be aware of these scams and take steps to prevent them.
  • Build a network of business peers who can share information about new cybersecurity threats they become aware of.

By following these tips, businesses can protect themselves from scams, including vendor impersonation. It is important to be vigilant and to question any unusual requests. By doing so, businesses can avoid falling victim to these scams and protect their financial resources.

Has your business been targeted by a scam? Report it!

Scams should be reported to the Federal Trade Commission (FTC) online or by phone at 1-877-382-4357. Reporting fraud to the FTC helps the government investigate and bring cases against scammers.

For assistance meeting your company’s cybersecurity governance needs, contact your Keiter Opportunity Advisor or our Cybersecurity specialists today.

Download Keiter’s Cybersecurity resource guide for quick tips on how to defend against cyber threats:

CyberSecurity Desktop Guide Thumbnail

Share this Insight:

About the Author

Keiter CPAs

Keiter CPAs

Keiter CPAs is a certified public accounting firm serving the audittax, accounting and consulting needs of businesses and their owners located in Richmond and across Virginia. We focus on serving emerging growth businesses and companies in the financial servicesconstructionreal estatemanufacturingretail & distribution industries and nonprofits. We also provide business valuations and forensic accounting servicesfamily office services, and inbound international services.

More Insights from Keiter CPAs

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us