Fraudsters Love Your Company Culture. Here’s How to Fix It (and Stop Fraud) With Vendor Onboarding Best Practices
Find out why your culture might be a magnet for fraud
Find out why your culture might be a magnet for fraud
Company culture isn’t just about team-building exercises and happy hour Fridays. In fact, culture is intrinsically tied to vendor onboarding best practices. It’s the backbone of how your organization operates—and, more importantly, how vulnerable it is to fraud. When senior management starts bending the rules, and everyone else follows suit, you’re practically begging for trouble. We’re talking vendor impersonation, deepfake fraud, CEO fraud, and business email compromise (BEC) here, folks.
Let’s dive into how this kind of culture takes root, the specific risks it brings, some illustrative horror stories, and strategic measures you can take to lock it down and keep your organization safe. Ready to shore up your defenses? Let’s get to it.
Understanding the Culture of Exceptions
The Risks of a Culture Prone to Exceptions (aka Not Following Vendor Onboarding Best Practices)
— Business email compromise (BEC)
Vendor Onboarding Best Practices to Fix the Culture and Mitigate Fraud
— Establishing robust processes
Using Technology as a Vendor Onboarding Best Practice to Strengthen Company Culture and Combat Fraud
Get Ready for Vendor Management Appreciation Day 2024
Want Help Aligning Teams On Vendor Onboarding Best Practices?
Interested in Regular Tips On Vendor Onboarding Best Practices?
Want Personalized Guidance On Vendor Onboarding Best Practices?
Let’s talk about a little dirty secret in the world of vendor management: the culture of exceptions. You know, that sneaky habit of bypassing established protocols because someone with a fancy title said it was urgent. Spoiler alert: it’s a recipe for disaster.
What does this culture look like?
Picture this: you have vendor onboarding best practices written down, but sometimes, the higher-ups ask you to make an exception and circumvent your process. And every time a VIP asks for a shortcut, the process gets a little sloppier. It’s justified by urgency or the stature of the person making the request. No one wants to be the one who tells the boss “no,” especially when they’re breathing down your neck about a deadline.
When C-suite executives or senior managers frequently ask for exceptions to the vendor onboarding process, it sends a clear message across the organization: the rules are not absolute. When you start making exceptions, the integrity of your entire process begins to crumble. Here’s what happens:
Let’s dive into a real-life cautionary tale from “BigPubU,” a well-established public university that learned the hard way why bending the rules is a terrible idea.
One summer, the CFO, Mr. Thompson, was under pressure to complete an infrastructure upgrade before the new academic year. When “EduProSoft” was identified as a crucial software vendor, Mr. Thompson personally pushed for their onboarding to be expedited.
Due to his authority and the ticking clock, the vendor desk complied without the usual checks. The software was implemented on time, and the payment of $500,000 went through like a breeze. Mr. Thompson’s belief in bending the rules for efficiency was reinforced.
Emboldened by the previous success, shortcuts became the norm at BigPubU’s vendor desk. Months later, another urgent request came through, this time for an online learning platform, “LearnQuick.” The vendor desk received an email from what seemed to be Mr. Thompson’s official address, instructing them to expedite payment. Spoiler: the email wasn’t from Mr. Thompson but from a fraudster executing a business email compromise (BEC) attack.
Since the team was conditioned to prioritize speed over security, the vendor desk processed the payment of $1.7 million to an overseas account without the usual checks. When the real Mr. Thompson later inquired about an unrelated budget issue, the fraud was uncovered. By then, the $1.7 million was long gone.
The fallout was brutal. BigPubU faced not just financial loss but also significant reputational damage when the news broke. An internal investigation revealed that the culture of making exceptions had eroded essential checks and balances, making the university vulnerable to such sophisticated (and perhaps not so sophisticated) frauds.
BigPubU took immediate steps to overhaul its vendor management processes:
This painful lesson was a turning point for BigPubU, highlighting the dangers of prioritizing convenience over due diligence. It underscored the need for a balance between efficiency and security, ensuring that efforts to streamline operations do not open doors to cyber criminals.
In an organizational environment where bending the rules becomes the norm, especially when higher-ups “say so,” it opens the door wide for fraudulent activities. Now, let’s look at the direct correlation between a company culture that embraces exceptions to a process and just how much it heightens the possibility of fraud.
Here’s the thing: not only does this type of culture undermine established protocols – but it also makes the organization a prime target for sophisticated fraud schemes like vendor impersonation, deepfake fraud, CEO fraud, and business email compromise. You have to know and understand these risks to truly get a sense of the havoc an unchecked culture of exceptions can wreak on your organization. And if you think fraud is on the decline, listen to what Chris Arehart of Chubb has to say on the matter (spoiler alert: it’s not):
Fraudsters pose as new or existing vendors, sending fraudulent invoices or changing payment details to divert funds. These attacks often begin with spear-phishing or social engineering tactics aimed at obtaining confidential information.
For example, a company might routinely bypass standard vendor verification under pressure to expedite processes. A fraudster, posing as a new vendor, sends an email to the finance department with a request to update banking information. Believing the request to be urgent and genuine, and without verifying through a secondary communication channel, the payment is processed to the new account, resulting in substantial financial loss.
Criminals utilize AI-generated audio or video clips to impersonate executives requesting urgent wire transfers or confidential data. These are particularly convincing and exploit the trust within an organization.
Imagine this: The vendor desk receives a video call that appears to be from the CFO, who is traveling. The video, sophisticatedly crafted using deepfake technology, shows the CFO urgently requesting a fund transfer to a vendor. The vendor desk, aware that the CFO often asks for quick financial decisions, complies without double-checking the request through secure channels, leading to funds being transferred to a fraudulent account.
Attackers pose as the CEO or another top executive to pressure employees into transferring funds or sensitive information. This type of fraud leverages the authority of high-ranking officials to bypass controls.
In this instance, the company culture allows for exceptions when senior executives send direct requests. A fraudster sends a convincing email from what seems to be the CEO’s personal email, urgently requesting a wire transfer to pay for a discreet consultant fee. The email bypasses usual scrutiny because of the supposed sender’s high status, and the transaction is approved without the usual checks.
BEC attacks involve hijacking business emails to request payments or data. These attacks have become increasingly sophisticated, leveraging detailed research and social engineering to appear legitimate.
Scenario: A finance manager receives an email from what looks like a regular supplier requesting immediate payment for an invoice to avoid delivery delays. What the manager doesn’t know is that the supplier’s email address has been hacked. The manager approves the payment, resulting in financial loss to a fraudster’s account.
These scenarios underline the importance of maintaining strict controls and verifying all requests, regardless of the apparent urgency or source. They highlight how a culture that allows for shortcuts or bypasses established protocols can significantly amplify the risk of falling victim to sophisticated fraud schemes.
So, how do you transition from a culture susceptible to fraud to one fortified against it? It’s time for a strategic overhaul. Next, we’ll outline actionable strategies to help reshape your culture and significantly cut down the risk of fraud.
We’ll also highlight the potential financial losses tied to lax procedures and showcase how to champion a culture of compliance and vigilance. This part of the article will serve as a blueprint for creating a secure, fraud-resistant environment within your organization.
A crucial first step is to create a transparent record whenever exceptions are requested. Documentation should include who requested the exception, the reason, and any approvals. This not only creates a trail for auditing purposes but also helps identify patterns or repeated requests that could signify underlying problems.
Developing and strictly enforcing documented vendor onboarding best practices that include clear roles, responsibilities, and contingencies is essential. Every member of the organization, especially those at the top, should understand and commit to these processes to maintain the integrity of operations.
Christopher Arehart of Chubb offers three things you can do right now to make sure you’re covered:
Getting buy-in from the upper echelons of management is perhaps the most challenging yet vital step. Demonstrating the potential financial and reputational risks associated with a lax culture can be compelling. Leaders should be shown data on recent fraud cases, including the significant losses incurred through BEC and other scams, which could have been mitigated by adhering to stricter controls.
While company culture significantly influences vulnerability to fraud, it can also be harnessed to protect against it. By fostering an environment of compliance and vigilance, backed by strong leadership and advanced technology, financial institutions can not only reduce their risk of fraud but also enhance their overall operational resilience. Embracing this new data paradigm and moving away from outdated models is not just an upgrade; it’s a necessity for survival and success in the digital age.
Technology and culture may not seem related, but the former can underpin the latter. How? When it comes to fraud prevention, automated solutions can streamline operations and drastically cut human error from manual intervention. In that regard, technology itself is a vendor onboarding best practice.
Automated systems perform consistency checks and validations that human processors might miss, reducing the risk of errors that could lead to fraud. Subsequently, they reduce vulnerabilities. Automating the vendor onboarding process can also foster a culture of compliance and vigilance.
Modern technological solutions, such as automated vendor onboarding platforms, offer advanced capabilities in detecting and preventing fraud. With less sleep lost over mounting risks, the organization’s culture can be transformed from one that is reactive in the face of fraud to one that is proactive and resilient.
Automated platforms also help standardize processes. These platforms enforce uniform procedures for verifying and storing vendor information. In this way, they ensure that all actions are compliant with company policies, reducing the likelihood of fraudulent activities slipping through the cracks caused by inconsistent processes.
Debra Richardson of Debra Richardson LLC puts it nicely below:
Here are a few ways this combats specific fraud types:
Some advanced vendor management platforms (including PaymentWorks) now offer indemnification against specific types of fraud, such as vendor impersonation. This not only provides a financial safety net but also demonstrates a strong commitment to security, reinforcing a culture of trust and safety.
Knowing that the platform provider shares in the risk encourages rigorous adherence to security protocols and fosters a culture of collective responsibility. Incorporating these technologies helps build a company culture that prioritizes data integrity, process standardization, and proactive fraud prevention.
Each technological tool not only addresses specific vulnerabilities but also contributes to a holistic environment where fraud is systematically deterred. The transition from manual processes to a technology-driven approach means organizations can protect themselves from the financial repercussions of fraud while also cultivating a workplace that values vigilance and innovation in safeguarding operations.
Curious about how we can help with the transition? Let’s chat.
Speaking of vendor onboarding best practices, will you be partying with us for Vendor Management Appreciation Day (VMAD) 2024? We highly encourage you to join us!
Why? Because there’s no expiration date on honoring one of the most important, under-recognized roles across industries: vendor management.
Join us in observing Vendor Management Appreciation Day (VMAD)! We’re gearing up for the 2024 celebration, and we want you to be a part of it!
VMAD is a new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
Moreover, we’ve released gifts each month to help you supercharge your vendor management efforts. Additionally, we’re planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
In the meantime, learn more here, and grab some free vendor management goodies.
Explore our blogs below. They’re filled with action items you can implement right away.
The New Face of Vendor Fraud Cases
5 Things to Know About Vendor Onboarding Software
Three Things Going Wrong With Your Vendor Onboarding Process
Vendor Verification: How NOT to Do it and What to Do Instead
We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.