Risky Business E2: Higher Education Vendor Fraud-PaymentWorks

by Angela Sarno

VP Marketing

Risky Business with PaymentWorks: E2–Treasury in Higher Ed

We first published on this topic back in September 2020. We’re updating it now, in January 2024, because higher education vendor fraud is always lurking around the corner.

When it comes to vendor fraud, no one is safe. Worse yet, decentralized organizations – like higher education institutions – face increased threats.

Things tend to progress a little more slowly and it can be hard to get everyone on the same page about standardizing vendor onboarding and management processes.

But all hope is not lost! With the right attitude and a dedication to best practices, you can keep the bad guys away.

Listen to the Full Episode

Key Takeaways on Higher Education Vendor Fraud

#1. View higher education vendor fraud prevention as mission-critical

#2. Higher education vendor fraud does not give it a rest

#3. Make “no exceptions” a rule

#4. A lot goes into selecting safe vendors

#5. Sharing is caring

#6. Day-to-day vigilance required

Must-Read Episode Quotes on Higher Education Vendor Fraud

Check Out the Transcript

Get Ready for Vendor Management Appreciation Day 2024

Want Help Aligning Your Teams on Higher Education Vendor Fraud

Interested In Regular Higher Education Vendor Fraud Tips?

Want Personalized Guidance on Higher Education Vendor Fraud?

Listen to the Full Episode

Welcome to another episode of Risky Business with PaymentWorks!

Valarie Van Vlack, Assistant Vice President and Treasurer at Texas State University, discusses the role of Treasury in supporting the university’s mission, as well as the ubiquity and creativity of fraudsters attempting to scam higher education institutions.

Enjoy the excerpt below and listen to the full episode here.

PaymentWorks Presents Risky Business Episode 2: Valarie Van Vlack

Key Takeaways on Higher Education Vendor Fraud

#1. View higher education vendor fraud prevention as mission-critical

Valarie says that her previous experience working for a Fortune 500 company opened her eyes to the ways things are different in higher education.

While things may progress more slowly when it comes to vendor management in higher education (thanks to decentralization), processes and procedures are still key.

The primary difference is that the treasury function in higher education aims to support the university’s mission. Listen to another podcast guest, Jenn Glassman, talk about the ties between procurement and an organization’s mission:

A university’s mission includes many facets. Researchers are focused on getting research done. Sometimes that requires tools and instruments – and those things require payment.

So there can be a sense of urgency around making payments so people can get the things they need to do their jobs. As a result, without the right guardrails in place, people can unknowingly open the door to fraud.

With the right processes and procedures, however, you have a bit of protection against things getting too out of control. So if you can look at those things as also mission-critical, you can have a mindset shift that helps support the university’s mission while also preventing vendor fraud.

#2. Higher education vendor fraud does not give it a rest

In higher education, vendor fraud targets everyone. While Valarie says treasury spends a good amount of time preventing payments fraud – and focusing on security in that area – she also works with IT regularly.

In some cases, they are required to do so. As part of their “red flags” requirement, the school must report any fraud attempts to the CFO or the administrator, which should then be discussed with the board.

As a result, an annual report is created documenting any entities that tried to attempt impersonation fraud. Valarie notes that her reports may not always be long, but IT regularly sees 600-700 lines of phishing attempts – and students falling for the phishing attempts.

Between 38,000 students on campus and 4,000+ employees, it’s a (busy) full-time job making sure those attempts are caught and prevented.

#3. Make “no exceptions” a rule

“We have made it a rule at the university that no wire will happen from just an email from a CFO or the president,” Valarie says.

She’s alluding to the common culture issue many organizations face where leadership makes exceptions to documented processes (Yours aren’t documented? We can help.) to make a change.

She says that many organizations are resorting to putting senior-level executives behind a firewall so you can’t just get their information by surfing the web.

But that doesn’t go far enough.

Valarie adds, “If it sounds out of character, pick up the phone and contact the person…It really needs to be going through the correct process. And we will take our time in order to make sure that it’s correct.”

#4. A lot goes into selecting safe vendors

Higher education vendor fraud is just one slice of the risk pie. Valarie notes that payment card fraud is also prevalent. To cast a wide net in preventing all types of fraud, the IT security, IT networking, treasury, and ecommerce teams all work together.

“When a vendor wants to do business on our campus and wants to take payments, it’s vetted through [what’s] called the electronic payment team,” Valarie says. “And we look at how they set up their networks, how they’re processing the information, where that information goes, how much is stored, are they certified? There [are] a lot of things that we need to make sure of in order to protect our students.”

The primary focus is on selecting safe vendors so students can feel secure using their credit cards. It protects the students and it guards against reputational damage that might result from a bad situation.

Valarie also speaks to the importance of sharing information but admits that it can be hard to talk about fraud.

“No one wants to admit that they got hit and how they got hit because somebody found a weakness within their controls and was able to use that to their advantage, right?”

But that’s how best practices come into existence – and how everyone benefits.

#6. Day-to-day vigilance required

Valarie points out that the good guys are always half a step behind, regardless of the solution.

At our in-person event in 2023, risk management expert Linda Miller seconds this opinion, noting that fighting fraud is getting harder to do:

At the end of the day, fraudsters are working hard to figure out how to use technology to their benefit – even the kind designed to stop higher education vendor fraud.

Another complication is that, as technology advances and more third parties get involved in the solutions, those third parties have to be validated as well. It can become an unwieldy web of verifications, validations, and blocked fraud attempts.

Ultimately, Valarie says it’s a mix of education and keeping policies and procedures current. Following best practices and being cognizant of higher education vendor fraud (and other fraud) risks lurking around the corner is necessary.

Must-Read Episode Quotes on Higher Education Vendor Fraud

“Let’s just say that if it sounds fishy, then you should investigate.” (12:11)
“We have made it a rule at the university that no wire will happen from just an email from a CFO or the president. It really needs to be going through the correct process. And we will take our time in order to make sure that it’s correct.” (12:11)
“Everybody wants the new and best thing, but we’ve got to make sure that the vendors that we approve for our campus are safe for the students to use the credit cards because really, it’s our reputational risk at stake.” (15:53)
“At the end of the day, it’s everybody’s responsibility. And I can’t stress this enough, the fraudsters try to find the weakest link in the system. And so in higher ed, you have a big city. There’s a lot of different responsibilities and a lot of hats that people use. And you just really have to have all the controls in place, no matter if we’re higher ed or we’re Fortune 500.” (25:41)
“It’s just being vigilant on a day-to-day basis, knowing what’s happening in the industry, sharing those stories, understanding how that may affect the university in itself, and just really being cognizant of it on a day-to-day basis.” (34:43)

Check Out the Transcript

Taylor Nemeth: Let’s start with you walking us through how you ended up working in treasury, and what treasury means.

Valarie Van Vlack: I found treasury by accident. I started at a Fortune 500 company, ended up going for a job that reported to the treasurer. He was super supportive, and so he wanted me to become certified in treasury. My job evolved from a day-to-day analyst to a treasury professional. I am a certified treasury professional now, and I’ve been in some type of treasury role since the 1990s, first at a Fortune 500 company, and then I was hired by Syracuse University. I found the mission of higher education to be really compelling, and I really enjoyed the work. After I was at Syracuse for about 13 years, I became the treasurer at Texas State University, and I’ve been here for 12 years.

Taylor: What is unique about higher ed treasury departments versus other industries? So you had mentioned you worked for a Fortune 500 company. What do you feel are the key differences?

Valarie: We are involved in enrollment management. I think the nature of things progress at a slower pace in higher education, and that’s kind of an understatement. But researchers really want to focus on their mission, not processing paperwork or waiting for the vendor to be paid. And so they may be pushing a little bit hard because they’re waiting for an instrument, or some kind of research to be done. And the urgency of that payment being done that day. And our university mission, our area is to support the rest of the university. We’re a support arm in the university, so we try to take that into account while also being understanding. But we do have to have the processes and procedures in place.

We also are known as having open source systems. So the attempts of fraudsters on a daily basis is insurmountable. IT gets hit from various entities throughout the world trying to penetrate our system. So we really have to have a good IT security system as well.

Taylor: If somebody is trying to get into your ERP, or trying to get into some other system to grab student credentials, be it a social security number or a bank account, does that risk ultimately roll up to treasury as well? Or is it shared?

Valarie: It’s shared. We work very closely with IT security on a number of different matters. For instance, we have a requirement called the red flags, where any fraud attempts need to be reported to the CFO or your administrator of the program. So annually, we create a report of any entity that an imposter tried to enter to try to give us information, and it didn’t seem right. So we have to record that. My reports are very short for a lot of other business units on campus, but IT is 600 to 700 lines of just phishing attempts and students taking the phishing attempts.

Taylor: Have you placed a lot more importance on email compromise? Email compromise is the largest source of many of these different fraudulent attempts, is that something that the university has thought about?

Valarie: Accounts payable and in the back office processing are very cognizant of it. Let’s just say that if it sounds fishy, then you should investigate. So many universities I’m finding are putting their senior level executives behind firewalls, so that you cannot get their information just by surfing the web. That’s super important when people are just spoofing the internet and giving us an email from your boss asking you to do a wire very quickly because the president needs it, or the president is traveling. Or can you buy some gift cards for us? If it sounds out of character, pick up the phone and contact the person. We have made it a rule at the university that no wire will happen from just an email from a CFO or the president. It really needs to be going through the correct process. We will take our time in order to make sure that it’s correct.

“We have made it a rule at the university that no wire will happen from just an email from a CFO or the president. It really needs to be going through the correct process. And we will take our time in order to make sure that it’s correct.”

Taylor: Can you speak to other types of fraud you have contend with as a higher education treasury professional?

Valarie: People call us pretending they are students, so we do not keep student information in our system. And then there are payment cards. There’s fraud going on almost every minute in the payment card industry. We have a team that works with our IT security and IT networking. When a vendor wants to do business on our campus and wants to take payments, it is vetted through the electronic payment team. We look at how they set up their networks, how they’re processing the information, where that information goes, how much is stored. Are they certified? There’s a lot of things that we need to make sure of in order to protect our students.

There’s a lot of initiatives within dining services and athletics. And everybody wants the new and best thing, but we’ve got to make sure that the vendors that we approve for our campus are safe to the students to use the credit cards because really, it’s our reputational risk at stake.

Taylor: Speaking of reputational risk, we know a lot of higher education institutions have been hit by payments fraud, but almost no one ever talks about it. Higher education is so unique in how everyone is willing to share best practices with each other, but not about this one subject. Why is that?

Valarie: No one wants to talk about fraud. No one wants to admit that they got hit and how they got hit because somebody found a weakness within their controls and was able to use that to their advantage. So I think it’s really interesting in the fact that we need to share this stuff with everybody. And you need to hear from those people. I think that it needs to be really shared.

Get Ready for Vendor Management Appreciation Day 2024

We just celebrated our first-ever Vendor Management Appreciation Day (VMAD)!

It was a big hit and we’re excited to carry the vendor management torch into 2024 with more goodies, events and hat tips toward the good folks at the vendor desk.

VMAD is a holiday geared toward unifying vendor management professionals and celebrating innovation in the field. And the party will continue in 2024!

We’ve been releasing gifts each month to help you supercharge your vendor management efforts. You can learn more here, and grab some of those free vendor management goodies.