Vendor Impersonation Scams
A TMANY NY Cash Exchange Conference Wrap Up
Last week, I had the honor of presenting at the TMANY 2022 Cash Exchange Conference alongside Christopher Arehart, SVP, First Party Product Manager, North America Financial Lines at Chubb. We had one hour to share with treasury professionals everything we wanted them to know about vendor impersonation frauds, why they are successful, and how to address organizational risk in the vendor onboarding and management process. (For the record, I believe Chris and I could actually speak for a solid six hours on this subject, so it was a tall order to fit it into 60 minutes!)
For those of you who were not able to attend the exceptional TMANY event, I offer the following quick takes on our subject:
- A good vendor impersonation scam will be impossible for your staff to spot. (Yes, impossible).
- Social engineering losses are generally not covered by crime or cyber insurance policies (or if they are, they have very low limits).
- If you cannot audit your vendor onboarding and change process, then it’s not actually a process, and it’s likely not insurable.
Let’s dig in.
Number 1: A good vendor impersonation scam will be impossible for your staff to spot.
Fully consider what you are asking your staff to do when you train them on vendor impersonation scams. Did you hire them to be forensic accounting detectives? These fraudsters are not amateurs- they are doing this for a living, they are sophisticated, they are patient and they know which points in the process are susceptible to pressure.
It has often struck me that the humans in an organization responsible for spotting and stopping vendor impersonation scams have an inordinate amount of organizational risk on their shoulders. Chris did the math for us during the event and calculated that a single mistake averages a quarter of a million dollars in stolen funds for an organization. I promise you that someone on your staff is losing sleep right now worrying about making that single mistake.
“You can have the best front door in the world, but if the other side is compromised, there is nothing, and I mean nothing, that can spot a real email [that] just has bad information in it.” – Christopher Arehart, Chubb
Here is a provocative thought for you: I believe that the actual goal of all of the hoops and training and stress these individuals go through is not about validating or verifying bank account ownership. What you are actually asking of your staff is this: do not lose money to a fraudster. But they probably still will. With that single mistake. Validation or verification don’t solve for this. What solves for this is transferring risk off of the organization. (Full disclosure & plug: PaymentWorks does this.) Short of offloading this risk, your process and your people will have to bear the stress.
Number 2: Social engineering losses are usually not covered by crime or cyber insurance policies (or if they are, they have very low limits).
Vendor impersonation scams fall into a no man’s land between coverage by crime policies and coverage by cyber policies. They typically result in losses, not because your organization was hacked, but because your vendor’s organization was hacked, and your cyber policy will not cover this. And since your employee did not do anything wrong (on purpose), aka, no employee malfeasance, your crime policy will not kick in. Social engineering losses generally need to be called out specifically in your policy to qualify for coverage. Check in with your risk folks today to determine if your current coverage includes when an employee gets tricked, and if so, how much will it cover? (Guessing not much. 👇)
“Our insureds have suffered nearly $140M in losses since 2017. The vast amount of this is uninsured. There is not a lot of insurance in this space. When you consider $43B [in losses], there isn’t enough capital in the marketplace to cover these types of losses.” Christopher Arehart, Chubb
Number 3: If you cannot audit your vendor onboarding and change process, then it’s not actually a process, and it’s likely not insurable.
In the summer of 2021, a small town in NH fell victim to three vendor impersonation scams in four weeks. THREE! The postmortem on these events uncovered that the vendor onboarding and change process was not followed in any one of these instances. And the folks who created the process had no idea. Same thing in Albuquerque, where three different employees were all involved in not following the process. I could link a dozen more articles here, but I think you get the point. My first takeaway above about these scams being impossible to spot? Well, when the process to actually spot them is in place, but no one is doing it that is problem as well. Not following the process will not go over well with your insurance carrier when you file a claim.
“Underwriters want to see details. They want to see your actual procedure and how it is audited. The most important question in my mind is: do you attempt to verify changes to vendor information by a phone call to a number that’s known ahead of the change, and can you prove you did this?” – Christopher Arehart, Chubb
It’s scary stuff, yes. Especially for the humans standing guard over your vendor file. Most of them, even the ones not necessarily following the process, are just trying to be good soldiers. They are trying to move quickly to keep your organization running smoothly. They are trying their very best to serve the team’s goals. If it’s this easy not to follow your process, or for them to make an honest mistake, it’s time to start again from the beginning and ask yourself: what am I trying to accomplish with my training, my process and my tools? Then ask yourself: is it working? Then, finally, ask yourself: can I prove it?
Read the Free Whitepaper from Chubb and PaymentWorks: Guarding Against Social Engineering Fraud: Re-examining a Global Problem
