The disruption in supply chains and parts sourcing caused by new U.S. tariffs couldn’t have come at a better time for fraudsters. The scramble to avoid paying tariffs by switching suppliers or buying goods from countries not impacted by tariffs is particularly welcomed. That’s because scammers are increasingly using vendor impersonation as a method of tricking accounts payable departments.
Vendor impostors trick organizations into redirecting payments to fraudulent bank accounts via fake invoices, urgent payment requests or, increasingly popular, a request to change supplier banking details. In recent payment fraud surveys, the Association for Financial Professionals and The Institute of Financial Operations and Leadership found finance executives reporting increased instances of impersonation fraud last year.
How is that connected to Trump’s tariffs? To avoid the hefty trade levies, companies may source goods from alternative suppliers or shift purchases to a U.S. unit of a multinational supplier. Alternatively, they may alter their supplier relationships in other ways. For the AP team, these changes can lead to email exchanges with a new supplier to obtain new bank account numbers or other information necessary for an ACH or wire payment.
It’s easy for scammers to step into the middle of all that by, for example, gaining control of the vendor’s email account and substituting the scammer’s banking information.
Technology Solutions
Process controls are vital to prevent all this. However, technology can also reduce the chances of being a victim:
- Payment portals. AP products from Tipalti, Bill and others feature secure portals for processing payments. The supplier/vendor is responsible for entering their bank information; the customer’s AP team can’t edit it. The experience of CFOs, though, is that not every supplier will want or can be paid this way.
- AI spotting. AI may be an effective weapon against vendor impersonation because it can look for anomalies or patterns a human might not detect, says Louise Graham, COO and Head of Institute for IFOL. A slightly off supplier email address or near-duplicate invoice may slip by a human but not an AI system trained to spot irregularities. “Technology can pick up anomalies and say, ‘This looks a bit strange; do you think it’s correct?'” says Graham.
- Supplier master data. Keeping the supplier master data file updated is critical. Graham says many organizations fail to recognize the importance of the data file and why updating it more frequently than annually is necessary to prevent fraud. “The supplier data is the gateway to your bank account,” says Graham. “Once a CFO starts discussing [supplier master data] in those terms, junior people realize it’s very important.”
Tightening Controls
Graham recommends that finance adopt three other controls.
- “No purchase order, no pay.” All purchase orders should be generated from the AP system. A scammer who submits a fake purchase order won’t know the system’s order numbering scheme, for one. And the AP team won’t be able to match an invoice to the PO.
- Change auditing. A report on any changes to vendor banking information is generated daily and reviewed by someone who doesn’t make bank account changes.
- Pick up the phone. Validating information over the phone, by calling an independently obtained phone number for a supplier, is perhaps the best way to verify bank account changes or check new ACH or wire instructions.
Yes, a phone call. “The phone call is a really small human interaction that can make a big impact,” Graham says. “It’s surprising how many finance teams don’t do it.”
This article first appeared in the May 16 issues of CFO Leadership’s Finance & Accounting Technology Briefing.
