How to Avoid Love Letters From a Fraudster (and Social Engineering Scams)
All the bad actors you want to avoid — and how to do it.
by Ashley Poynter
Content Manager
PaymentWorksHow to Avoid Love Letters From a Fraudster (and Social Engineering Scams)
We recently sent out a series of emails in an attempt to imagine how fraudsters think. Specifically how they think about you. Sometimes, the best way to fight fraud is to put yourself in the fraudster’s shoes and think how they think.
That motivated our cheeky series, and we want to share that thinking more broadly. So in honor of the month of love, we’re highlighting the different types of vendor fraud your organization faces – as told straight from the horse’s mouth.
Aside from sweet nothings from bad actors, you’ll get insights into how you’re at risk and what is at risk. And don’t worry, we won’t leave you hanging. We’ll end on a high note by showing you how to strengthen and fraud-proof your process.
Table of Contents
The Top Types of Fraudster Valentines and Social Engineering Scams
‘Tis Better to Have Loved and Lost… Automation
Get Ready For Vendor Management Appreciation Day 2024
Want Help Aligning Teams on Social Engineering Scams?
Interested in Tips On Social Engineering Scams?
Want Personalized Guidance on Social Engineering Scams?
The Top Types of Fraudster Valentines and Social Engineering Scams
The following will include a series of emails from a hypothetical fraudster who has made you his target. Warning: these may not sit well with you as they are genuine threats that face vendor managers everywhere.
After each letter, we’ll recap the type of fraud risk and the implications for the organization.
The Vendor Impersonator
I’ve been watching you.
I hope that’s not too forward.
It’s true, though. I was able to access your computer system and I’ve been watching….waiting….
I’ve read your emails 💬 with your bosses and your friends in the wire room. I’ve noted when you’re planning on scheduling 📅 certain transactions.
And, don’t tell anyone, but I’m planning on manufacturing an email pretending 🦹 to be a vendor waiting for a payment.
And it’s all thanks to you. I couldn’t have done any of this without you.
I never believed in love at first sight, but this might be close. Your organization’s reliance on manual vendor onboarding has given me the perfect in – and it may well end up as a million-dollar payday 💰.
So this is an ode to you!
Love,
Your Fraudster
Type of social engineering scam
Vendor impersonation fraud (aka spoofing aka vendor email compromise)
Why it’ll break your heart
Vendor impersonation manipulates humans to get them to hand over confidential information or do things they know they’re not supposed to do (like make exceptions to a documented process ::cough cough:: ).
The end goal for these conniving casanovas is to reroute legitimate payments to their bank accounts. Since fraudsters are either accessing or impersonating a real business email, it’s really tough to identify when it’s happening to you.
Plus, your hands are full. You’re entire vendor onboarding and management process hinges on a ton of manual tasks. You’re constantly fielding emails from vendors, so who’s to say which are real requests and which are bad actors waiting for you to trip up?
Also disheartening: it’s not getting betters, as Chris Arehart from Chubb points out below:
The CEO Fraudster
Hello.
I just spoke with Fresh Cutz Paper Suppliers about their banking information. I need you to update the account number to 81928398729048 ASAP 🕒.
Please disregard the usual process for this change, and it needs to be done right away. Make the update by EOD, pay their invoice, and reply to this email to let me know both are complete.
We can worry about the details later. This is really important and could significantly impact our bottom line if it’s not done ASAP.
Can I count on you?
Regards,
Your CEO
P.S. Psssst! Don’t tell anyone, but it’s really me, your dearest fraudster. I know your organization has a culture of breaking vendor payment processes, even though it could cost you hundreds of thousands (or millions) of dollars 💵. You probably think pushing back on these ad hoc requests could cost your job, in fact, I’m counting on that type of thinking 🧠. I also know you’re so underwater with manual tasks that you probably won’t check the “from” address on this email and notice that it’s coming from yourceo@xyz.corp instead of yourceo@xyz.com. Chop chop. There’s lots to be done ⏳, so go ahead and push this request through before the CEO gets annoyed.
Type of social engineering scam
CEO fraud (aka phishing aka whale phishing aka CEO phishing fraud)
Why it’ll break your heart
CEO fraud is especially nefarious because it takes advantage of employees’ allegiance to the higher-ups. It’s also a really, really effective way to edge into organizations that have a culture of breaking processes.
Do you have a boss who’s always asking you to skirt the rules “just this once” for the sake of speed and efficiency? Do you regularly (or at least more often than you’d like) get ad hoc requests that fall outside of the scope of your documented process?
Then you’re at risk.
Fraudsters can use that kind of culture to their advantage. They know that it’s “bad form” to deny a request from the higher-ups. In fact, they’re banking on it, quite literally. So when they send that email from your “CEO,” they know you’ll do exactly what is asked of you and throw the process to the wayside. But in the aftermath, whose neck is on the line for falling for this scam?
Let’s see what your fraudster Valentine thinks:
Hi, it’s me again, your fraudster Valentine.
I just wanted to say how cool I think it is that your organization’s culture embraces ad hoc, out-of-process requests from the higher-ups.
Like last week, when your CEO requested an existing vendor change. It was so lovely of you to update that banking info 📝 and pay that invoice, no questions asked.
It really shows me that you’re a team player. You know when to do as you’re told, even though it breaks protocol (which really helps me out when it comes to siphoning funds 💰🕳️ illegally from your organization via vendor fraud).
I meant to send roses 🌹🌹, but I’m traveling right now. The Caribbean, to be specific 🏖️. It’s beautiful here. And I wish you could be here with me, but I imagine you’ll be busy with your job hunt soon, as soon as your CEO (and the actual vendor (!) ) finds out what happened (and how I’m affording this dream getaway, hehe).
Thinking of you fondly,
yourceo@xzy.corp
The Opportunistic One
My dear,
I see you over there, typing 💻 your little heart out. It’s adorable how intently you focus on entering each vendor’s information. Your attention to detail 🔎 is endearing, if not humanly imperfect.
It’s so endearing that I hate to tell you this, but you mistyped ❌ a number a few vendors back. You entered a “7” instead of an “8.” You also typed in a different vendor’s name, “Uni Weeb Hosting,” instead of “Uni Web Hosting.”
No worries. Your co-worker caught these pesky typos and is about to send you a note 📧 so you can make the changes. Looks like you have a lot on your plate today! LOL
This is good news for me. While you’re spending the next few hours making corrections and checking (and double ✅ and triple checking✅) all the info you’ve entered so far, I’ll be crafting a special email just for you.
Trust me, you’re going to love it.
See, I’m going to send you an email from UniWebHosting.org (your web hosting vendor’s real email address is UniWebHosting.com) in a few minutes.
I’m guessing you’ll be so underwater with data entry that you’ll never catch the difference. And since nobody’s the wiser about my neat CEO trick last week (yet!), you’ll make this change request the same way you made that one. You’re already doubting yourself 🤔 anyway.
You’re so efficient. Twice in two weeks!
Love,
Your Fraudster
Type of social engineering scam
More vendor impersonation fraud
Why it’ll break your heart
These fraudsters will try every maneuver in the How to Fraud playbook. If CEO fraud worked for them before, they might try its pesky cousin, vendor impersonation fraud the next time around.
These fraudsters take advantage of weaknesses – things like manual-labor-heavy processes and tired eyes. They know that your vendor onboarding and management processes have holes they can exploit. They also know you’re understaffed and overworked and tired. You’re prone to making mistakes – mistakes that will help them get away with fraud.
The Heartbreaker
My dear,
This is the last letter you’ll receive from me. I’ve enjoyed our courtship, but it’s time to move on.
In the next few days, you’re going to receive calls ☎️ from the vendors I mentioned in my last few notes. They’re going to reach out about the status of their payments 💵.
You, my dear, will have the unfortunate job of confirming that those payments were made. And when you verify the banking info in that was input into the supplier portal for your ERP you will make a shocking 👀 discovery. You’ll sadly find that both payments were made to unverified bank accounts.
It will break your heart 💔, and I just can’t bear to see it.
Nor will I have to. I’ve decided to stay in the Caribbean 🍹 for a while until I figure out my next target.
Just know that I’ve enjoyed our time together and appreciate all you’ve done. I’ll never forget you, and I know you’ll never forget me.
Yours forever,
Your Fraudster
Type of social engineering scam
Love ‘em and leave ‘em. This is all fraud and all social engineering scams. Once the bad actors have what they want, they’re in the wind. Usually, it’s too late by the time the vendor desk realizes something is amiss.
The money’s already been sent. The true vendor has already (accidentally) been stiffed. And everybody is out a whole lotta cash.
Why it’ll break your heart
Vendor onboarding and management processes that are overly reliant on manual tasks wreak havoc on the morale of vendor managers. These folks work tirelessly to keep the organization’s vendor ducks in a row.
The thought that something like this could happen on their watch…well, it’s stressful. It causes headaches, ulcers, and lost sleep. And that kind of psychological impact can drag down an entire organization.
‘Tis Better to Have Loved and Lost… Automation
These may not be the type of love letters you were hoping to receive for Valentine’s Day, but they’re exactly the type in store for you without best practices in place to mitigate fraud.
Avoid the unnecessary heartbreak and consider how the following tips might help instead:
Document everything – Make it a part of the process to document the process, including procedures for vendor onboarding and change management, vendor verification, and vetting processes. We have a template for that here.
Note exceptions – Log all of the times the vendor desk is asked to break the process for onboarding suppliers and/or changing vendor information. You can use this template.
Build a compliance framework – If you notice a theme for writing things down, this one is unsurprising. Create a vendor compliance framework that outlines considerations for federal, state and local regulations. You guessed it, grab a template here.
Automate vendor onboarding – Automation can enhance and improve all of the best practices above. Automated vendor verification and vetting eliminate the possibility of human error. And as Debra Richardson points out, while your team is spending all your time on manual tasks, fraudsters get to spend 100% of their time figuring out how to trick you:
Automating onboarding makes things smoother for vendors and the vendor desk, allowing the entire organization to be more strategic. A strategic vendor management operation allows procurement and finance to align with overarching business goals. Automated processes also help guard sensitive information at every touchpoint.
Vendor onboarding and management is a critical function. It should make your heart skip a beat, but not because you’re living in fear of social engineering scams. The right combination of best practices and automation can ensure that your vendor relationships are as reliable and secure as a well-matched Valentine, leaving you confident to enjoy the sweeter aspects of your business partnerships.
Get Ready For Vendor Management Appreciation 2024
Good news! The Vendor Management Appreciation Day (VMAD) celebration continues in 2024. It’s our way of creating one giant love letter to our favorite people: vendor managers!
Why? Because we know it’s one of the most critical, under-recognized roles across industries.
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We’ve released gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
Learn more here, and grab some free vendor management goodies.
Want Help Aligning Teams On Social Engineering Scams?
Explore our blogs below. They’re filled with action items you can implement right away.
How to Prevent Social Engineering: 3 Common Scams Fraudsters Use to Trick Your Employees
Top Three Takeaways: Social Engineering Fraud and Your Vendor Master – Managing the Risk
Social Engineering Fraud Never Sleeps: 3 Ways to Prevent It
Vendor Verification: How NOT to Do it and What to Do Instead
Interested in Regular Tips On Social Engineering Scams?
Want Personalized Guidance On Social Engineering Scams?
