Vendor Fraud: How to Identify and Prevent It

Despite the conveniences going digital has brought, the more commerce and professional operations take place online, the more opportunities fraudsters have to do harm.

Today, 68% of companies around the world are concerned about fraud originating from suppliers, vendors and business partners – to the point of ranking it as a high or significant priority issue for their risk teams, according to Coupa.

Indeed, vendor fraud is on the rise, and especially so in the online world. Let’s look into its indicators, types and prevention.

What Is Vendor Fraud?

The term vendor fraud describes fraudulent activity by a vendor, or someone pretending to be a vendor, that targets a business. It almost always relates to convincing the victim to make improper payments of some description – as a result of invoice manipulation, extortion or check-tampering, among others.

Vendor fraud seeks to extract money from the target company but it can also be a way to obtain sensitive information or even commit sabotage.

Supplier fraud, billing schemes, fake vendor scams, and all other vendor misconduct and misrepresentation constitute types of B2B fraud, as they threaten businesses and are perpetrated by other companies, be they legitimate or not.

How Does Vendor Fraud Work?

Vendors and fake vendors can use many different methods to scam a company into paying them money they are not owed. Typically, however, this involves four steps:

1. Recon and opportunity: The attacker company – real or fake – identifies a target and scheme. Sometimes, this is about finding a gap in the defenses in an existing relationship: The fraudster may already know the system and workflows as an employee or existing partner of the target.
2. Setup, tools and software: The attacker sets up any tools or props they will need. For example, invoicing software, fake email accounts that appear legitimate, or an image manipulation program to amend legitimate bank checks. They may even contact someone on the inside to try to pay them off, or collude in other ways.
3. Unleashing the attack: The fraudster, posing as a trustworthy vendor, unleashes their attack, which can involve pretending they are someone else, delivering manipulated or fake invoices, overbilling, etc. Often, this may be accompanied by techniques similar to those used in social engineering attacks, to increase the likelihood of success – such as creating sense of urgency to pay.
4. Outcome and next steps: The scheme may prove successful, in which case the fraudster may attempt it again elsewhere. Moreover, this will show them this company’s defenses are not up to par, so they are likely to attack it again, or share this intel with other criminals. In case the attempted fraud failed, the fraudster may try again, perhaps amending their modus operandi.

Sometimes, vendor fraud can be opportunistic, when an existing vendor whose moral standards may be questionable identifies a chance to scam the company – and takes it.

In other cases, however, these schemes can be the result of weeks or even months’ worth of planning.

Who Does Vendor Fraud Impact?

Vendor fraud can affect any company, as they all deal with suppliers, to some extent. SMEs have a lot to lose to vendor fraud, but schemes equally target every organization, including some of the biggest names in tech.

A case in point comes from March of 2019, when a Lithuanian man pleaded guilty to wire fraud against both Facebook and Google. Evaldas Rimasauskas posed as a representative of a Taiwan-based hardware company that was owed money from the two business leaders. The scam had made him and his associates more than $100 million.

Accounts payable is almost always the department targeted by vendor fraud. Procurement is also high risk. Employees with these two specializations are the most likely to commit vendor fraud as well, out of every member of staff, because they have the most opportunity.

Of course, a company that procures goods and services on a more regular basis may be more open to it, due to dealing with vendors more often. However, vendor fraud is a particular pain point for small to medium-sized firms, for two reasons in particular:

• This type of company is less likely to have in place thorough fraud prevention policies and strategies compared to an enterprise.
• Due to the size of each business, SMEs’ bottom lines are more likely to be significantly affected if they fall victim, while enterprises can typically absorb their losses.

Frequent targets depend on the subtype of vendor fraud as well. For instance, billing fraud is the type of vendor fraud that most commonly affects small businesses, at 29% according to GrowthForce.

That said, the main reason the average enterprise may feel less of an impact is that they are more likely to have mitigation in place as part of their fraud risk assessment strategy. 

A fraud-conscious larger organization may have even trained their staff on vendor fraud detection and mitigation specifically, considering enterprises tend to have in place structured training and development.

Types of Vendor Fraud

Vendor fraud can take on several guises, because as a term it simply refers to who is attacking a business, rather than how. When it comes to common types, there are plenty to consider:

• Billing fraud: All deceitful activity linked to falsified sums or payments, including overbilling and false vendors.
• Invoice fraud: The submission and deliberate approval of fake or doctored invoices fall under this category.
• Fake vendor fraud: Every time vendor fraud involves a fake, non-existent company, we can categorize it as fake vendor fraud. Often, these are set up internally, but external actors can present themselves as legitimate vendors, too.
• Vendor email compromise (VEC): When someone takes over the email account of a legitimate vendor and poses as them, asking the companies they work with to send payments to a new account – the fraudster’s own.
• Kickbacks and bribes: Whenever an employee is bribed by an external party to assist in vendor fraud, at the procurement or accounts payable level.
• Price fixing: The practice of having two or more vendors agree on the market price for a product or service is illegal under competition law and a form of vendor fraud.
• Bid rigging: Affecting procurement, this is when two ostensible competitors collude to manipulate their bids for a contract. As a result, the purchasing company may end up paying significantly more than the market price to either vendor.
• Check tampering: A check may be forged, tampered or intercepted by an employee or external fraudster, in an attempt to have the company pay into a fraudster’s bank drop account instead of a legitimate supplier’s.
• False certifications: A fake or otherwise legitimate vendor may falsify their certification (e.g. ISO certificates) in order to land a contract they do not qualify for. “False certificates” in vendor fraud could also be referring to falsified website certificates put in place to make a vendor appear legitimate when they’re not.
• False payments: An employee may create a fake entry for a vendor to instead send the funds to an account they themselves own, thus embezzling the company.
• Short and long firm fraud: These two rely on supplier credit. A fraudulent business will start a seemingly legitimate relationship with another for long enough to build up trust, before they attempt supplier fraud. 
• Insider threats: As seen above, vendor fraud can also be committed by employees who work at the target company, either on their own or in collaboration with external actors. For example, an insider threat may set up duplicate payments – where they appear to pay a legitimate vendor, but the second payment goes to their own account. 
• Electronic vendor fraud: All vendor fraud that is enabled by digital systems, or has to do with electronic payments, is classed as electronic vendor fraud. In the US, GFOA published an electronic vendor fraud advisory to protect authorities from falling victim to electronic payment fraud, describing how fraudsters utilize fake documentation for electronic vendor payment deposits.
• Wire fraud: All vendor fraud committed online or over the phone, or enabled by online payments, is classed as wire fraud in the United States – a felony. Criminals caught committing vendor fraud are subject to wire fraud penalties, of up to $1,000,000 and 30 years in prison if the scheme is deemed to be major.

Naturally, any given case of vendor fraud can belong to more than one of the above categories. For example, an employee who sets up a fake company to file a falsified invoice is committing invoice fraud, and is simultaneously a fake vendor and an insider threat. 

Indicators and Warning Signs for Vendor Fraud

Red flags for vendor fraud that will allow you to identify and thwart it before it harms your company involve deviations from guidelines and workflows normally observed by accounts payable and procurement, as well as suspicious staff conduct:

• unusual payment patterns for vendors
• unexpected changes in behavior of staff or vendors
• a non-typical sense of urgency to take action in communications
• sudden changes in key vendor information without prior notice (e.g. bank accounts)
• goods or services delivered without a purchase order (PO)
• retainers that lack supporting documentation
• a sudden increase in the rate of mistakes an employee makes 
• most indicators of insider fraud, including employees frequently working late and becoming untypically secretive about their work 

Vendor Fraud Prevention and Mitigation 

To protect from vendor fraud, companies ought to look into identifying unusual behavior coming from vendors and employees, as well as unusual payment patterns. Staff should be encouraged to observe guidelines and best practices, as well as enabled to blow the whistle on suspicious activity.

Do your due diligence on your partners. Know your business (KYB) verification for new vendors can help ensure they are who they claim to be. These background checks can take on many forms, such as OSINT tools that conduct digital footprint analysis for new contacts. 

SEON’s data enrichment module, which you can try below, will give you in-depth insight into any email address or phone number, to help you gauge the real identity – and intentions – of their owner:

Pick up the phone and contact the vendor themselves, using a known phone number, to confirm any important changes to their records they may request over email. This will thwart the ambitions of any fraudsters who took over or spoofed your vendors’ email accounts. 

Implement 3-way or 4-way invoice matching to decrease the risk of oversight. Employees in accounts payable ought to compare supplier invoices to separately received documents, such as POs, internal records or goods received notes.

Deploy sophisticated vendor management and accounting software, which could alert you to any suspicious activity – e.g. when payment details don’t match previously verified payments for that vendor.

Put in place multi-level approvals for large payments. In high-risk industries and organizations, an efficient measure could be requiring the approval of more than one or two people, to minimize the risk of insider vendor fraud.

Conduct frequent audits, including tracking invoice activity, testing for duplicate payments and other strict internal controls. 

Ensure your employees know the risks by signing them up for fraud prevention training and distributing awareness material.

Learn from past incidents to become more resilient. Some types of fraud investigation software will allow for internal investigations and learnings from them, too – so they can assist in cases of external collusion with employees. 

Set up a fraud hotline available for your employees to tip you off about any signs of internal threats as well as to access support in dealing with external vendor fraud.

Finally, keep on top of sector fraud trends. By being aware of new vendor fraud and other fraudulent schemes attacking your industry, you will be able to prevent losses, rather than having to mitigate the consequences. 

FAQ

Sources

• Coupa: 6 Vendor Fraud Prevention Tips
• GrowthForce: How To Prevent Billing Fraud
• GFOA: Electronic Vendor Fraud
• NPR: Man Pleads Guilty To Phishing Scheme That Fleeced Facebook, Google Of $100 Million