Vendor Verification: How NOT to Do it and What to Do Instead
3 Common Vendor Verification Methods That Put Your Organization in Danger
3 Common Vendor Verification Methods That Put Your Organization in Danger
In the course of building our network and our platform, we did what product people do: we talked to the market, specifically about vendor verification and related topics.
When it comes to the risk associated with vendor onboarding, everyone we spoke to was united.
However, when it came to how to solve it, consensus was elusive. Vendor management, AP and Procurement personnel know they should not trust banking information that arrives via email.
That is a given. To solve this, teams seem to focus on verifying vendor banking information.
But what, exactly, does that mean? That’s exactly what this blog will cover.
Generally, vendor bank account verification falls into three buckets:
On the surface, these tactics seem effective. However, they are not infallible in defending the vendor master from infiltration by fraudsters.
The devil, as they say, is in the details.
If your organization is relying on any of these three ways to conduct vendor validation, you are likely leaving holes wide enough for a fraudster to walk right in and cause damage.
Below are explanations of why these methods are no longer reliable. You can use these to critique your own process and build a case to leadership about why your process needs to change.
As a verification tool, this practice started before the digital age. That was when vendors needed to snail mail a W9 and their remit details.
And it largely worked.
The chances of a fraudster intercepting this piece of mail, steaming open the envelope, swapping out documents, and getting this back into the mail stream and delivered, undetected, were close to nil.
Vendor impersonation, as we know it today, was extremely difficult in this world.
Fast forward to today. In the age of digital communications, with email as our trusted delivery source, these documents are now so vulnerable we’d argue they are meaningless.
Why? Because it is so easy to forge them. Emails are easily hacked or spoofed.
Most importantly, a piece of paper does nothing to confirm the ownership of the bank account being offered to you.
For example, I can type any business name I want and put my personal banking details under it. Paper, quite simply, is not proof of the authenticity of the information on it.
For more on authenticity and why that matters, listen to our podcast with David Birch.
If you are still collecting documents via email to confirm vendor banking changes, we urge you to stop this practice immediately.
It’s simply too easy to fall for a fraud this way. Ask the cities of Peterborough or Albuquerque or Rock Island County or Lucas County or this unnamed county in New Mexico or Toyota Boshoku or…you get the picture.
How do your AP staff know they are speaking to the legitimate vendor when the returned call is from an unrecognized phone number?
These days, that’s the exact problem with relying on calling vendors directly to confirm a change they send to you.
Previously, in the pre-Covid world, this technique was pretty solid.
You could look online for an official corporate website, call that number, and ask for the Accounts Receivable (AR) folks to confirm (or not) the information you had on file. Simple.
However, in the Covid world, this is no longer a fail safe for the following reasons:
Consider all of the AR staff who are now working remotely. They may call to check voicemail, but when they call you back, it’s not from the official number that you used. It’s likely from a cell phone.
How do your AP staff know they are speaking to the legitimate vendor when the number is unrecognized?
If you cannot get the right person on the phone with an outbound call, and you cannot authenticate the number they are calling from, you cannot be certain the call is from the legitimate vendor.
Relying solely on phone calls may not provide a sufficient audit trail or documentation of the verification process.
In case of disputes or the need for future reference, having a documented record of verification is crucial for accountability and compliance purposes.
Phone calls alone can lack the necessary evidence to support the verification process and can make it difficult to track or provide proof of the confirmation.
Work is required for manual phone verifications. Contacting vendors individually to confirm changes can be a time-consuming task, especially for vendor desk teams who are already strapped.
As a result, vendor desk staff may speed through phone calls for the sake of time. This can lead to staff not fully vetting the person on the other end of the phone, and possibly routing funds to a fraudster.
More eyes on a problem can certainly help you protect your organization from business payments fraud.
That’s why we encourage you to always have multiple levels of approvals when it comes to any vendor validation and payment information.
However, using only internal approvals as your vendor verification process is borderline reckless.
First, with multiple levels of approval required, decision-making can become time-consuming and cumbersome. This can result in delays in onboarding new vendors or making time-sensitive payments, potentially impacting business operations or relationships with suppliers.
Second, more internal approvals typically means increased administrative burden and complexity. Each level of approval adds another layer of bureaucracy, involving coordination and communication among various stakeholders.
This can lead to inefficiencies, bottlenecks, and increased workload for both the procurement team and approvers.
Additionally, the process can become prone to internal politics and power struggles. Different levels of approvers may have varying priorities, preferences, or biases, leading to conflicts or delays in decision-making.
This can compromise the objective evaluation of vendors and potentially hinder the selection of the most suitable suppliers.
Finally, the pressure the people in these positions now have as your only defense is surely keeping them up at night.
To sum up, multiple levels of internal approvals in vendor verification can enhance control. However, they can also result in delays, administrative burden, reduced agility, and potential internal conflicts.
Finding the right balance between control and efficiency is key to effectively managing vendor verification processes and maintaining strong vendor relationships.
None of these three methods solve your actual problem: the problem of paying a fraudster.
There is no peace of mind when you are not certain your process has done enough.
And we’ve seen it again and again. True peace of mind cannot be achieved with increasingly stringent means for your staff to verify every digit on every payee bank account with every payment being made.
True peace of mind is knowing your staff are no longer vulnerable to being tricked. Knowing your payments have security. Knowing you are paying who you intend to pay, and that you aren’t liable for any mistakes.
Here’s what we recommend that all vendor management teams do.
Re-examine your current vendor verification process. Ask yourself, “Are my employees losing sleep worrying about being tricked?”
If the answer is yes, invest some time and resources into shoring up your defenses–before it’s too late.
PaymentWorks can help you, by the way.
Let’s start with some resources.
Case Study with Cabarrus County and Their $2.5M Problem with a Fraudster
Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It
Business Payments Fraud in Times of Chaos
We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.