In the past couple of months, several of our clients have contacted us to let us know that they have become the victims of external fraud schemes, often involving vendor personnel. External frauds from individuals or groups within—or posing as vendors—is a common and increasing problem for many organizations, but there is a way to fight back and prevent losses from happening to you.

Two Real-Life Occurrences

One of the schemes involved the perpetrator obtaining checks written to pay a vendor and then editing and repurposing them to attempt to pay someone other than the original, approved payee.

The other scheme involved the perpetrator contacting our client and asking them to change the ACH payment information in their file to route the payments to a different bank account.

In the first case, the client had strong controls in place, which detected the attempted fraud prior to it being accomplished, and the client did not incur any loss. In the other case, the client’s controls did not detect or prevent the fraud from happening, and the client incurred considerable loss prior to it being detected.

Three Ways to Prevent Vendor Fraud

First, changes to vendor banking information for electronic payments should always be verified and approved before any disbursements are made. In the case of the second example, the “vendor” contacted the client, asking them to change bank account information for these types of payments. The employee at the client should have reached out to the approved vendor contact person as per the client’s records and confirmed the changes. If this step had been followed, the vendor would have informed the client that those changes were not valid, and the fraud would have been averted.

Second, changes to vendor information should be periodically reviewed by an appropriate person at your organization who is not involved in the disbursement process. The primary reason for this is to prevent internal frauds from occurring, but it is also effective at detecting collaboration between your employees and the fraudsters. Critical items to look for are (1) changes to vendor addresses without supporting documentation being obtained from the vendor, such as a W9 form or verifying information using the website; (2) changes to vendor bank account information without documentation of the confirmation process described in the above paragraph; and (3) vendor information that matches employee information.

Third, setting up payment controls at your bank, such as positive pay, to ensure that only pre-approved payments are processed will prevent frauds from occurring in the event the controls leading up to the payment have failed.

NOTE: This will only work if the person processing your disbursements does not also have access to edit vendor information or have signing authority for checks or processing electronic payments.

Segregation of duties is always the best internal control. However, if everything else is properly in place, positive pay will prevent external actors from editing checks and collecting payments from the bank based on those fraudulent edits.

Closing Thoughts

These are just a few control activities your organization can take to safeguard assets and prevent vendor frauds. Of course, there are several other controls and actions an organization can take, but the key things to remember are:

  • Set the tone with your vendors that fraud will not be tolerated.
  • Train your personnel to be aware of the signs and targets of fraudsters.
  • Keep your internal control processes confidential to your organization—broadcasting them gives the fraudsters a roadmap to circumvent your controls.

Unfortunately, fraudsters will always be a threat to your organization’s assets. But by paying attention to the details and not letting your guard down, you can be much more prepared for them and protect your organization more effectively.

If you need help tightening your internal controls against vendor fraud, contact us today! 

Want more content like this?


Sign up to receive our monthly newsletter straight to your inbox.