The following is a contributed piece from Angela Anastasakis, senior vice president of operations and customer success at Nvoicepay. Opinions expressed are author's own.
The pandemic-driven rush in the use of automated clearing house (ACH) systems to pay suppliers helped drive an expansive leap in the digitization of business payments but it came at a cost: in many cases, accounts payable departments didn't have time to secure remote networks adequately or create protocols to ensure the secure handling of supplier bank account information.
Now that the dust has settled, it's up to CFOs and their AP teams to ensure these safety measures are implemented, starting with the secure handling of data.
ACH fraud, on the rise even before the pandemic, shot up more last summer; 90% of internal and external fraud examiners reporting an increase in all types of cyber fraud, the Association of Certified Fraud Examiners found.
Bank account update requests are the most common way to perpetrate ACH fraud. According to data by Nvoicepay, for which I oversee operations and customer success, these requests are common. Suppliers tend to change bank accounts every four years. Most are legitimate, but your AP team should stand guard against what fraud examiners call vendor email compromise (VEC) attacks.
In this type of attack, bad actors hack into supplier systems, monitor invoice flow, identify a potential weak spot among the supplier's customers, then reach out to someone in accounts payable to request a bank account update. They often time their request just ahead of a large payment. If successful, they route the payment to an account they've set up, only to close it once they receive the funds.
Unfortunately, this is more common than you might think. In our own recent experience, a client requested an urgent bank account update for a vendor they were about to pay. When we ran the new information through our validation process, we discovered the new bank account was fraudulent.
AP teams tend to be vigilant when they receive requests to change banking information. But vigilance in handling bank account data securely is needed from the moment they collect it from the vendor. If this data is intercepted, it gives fraudsters fuel to make their schemes more credible. IT departments need to secure company networks and environments, and finance departments need to implement stringent, repeatable processes for collecting, validating, and storing the information.
Here are some thoughts on how to do that.
Collecting the data
Start with identifying the information you need to store. In addition to the routing, account numbers, and other remittance information, you might want to add security questions or other unique identifying information.
This information should never be transmitted by email, which is unsafe. It's shocking how open people are with what they share by email. There's a lot of naivete around business email compromise, or BEC. The FBI documented more than $26 billion in losses from BECs between June 2016 and July 2019. And last year, BEC schemes were the most common type of fraud attack, with 75% of organizations experiencing an attack and 54% reporting financial losses, according to an Association for Financial Professionals (AFP) report.
With such attacks on the rise, banking data should be sent using a secure portal or encrypted email. It's tempting—especially at the beginning of a new supplier relationship—to want to extend trust and make payments for them fast and easy. Don't do it. Safety comes first. Make it clear to your supplier that you're doing this to protect their company and yours. They should understand and appreciate that. It's a red flag if you encounter pushback on that request. While it's uncommon for vendor email compromise (a subset of BEC) to occur during initial onboarding, requests to make exceptions to processes (especially if combined with a sense of urgency) are hallmarks of phishing or fraud attempts. Make sure your team is well trained, so alarm bells go off in that scenario.
It's not just during the supplier enablement process that this information needs to be protected. Suppliers routinely send invoices that include bank routing and account information by email. Again, this is well-intentioned—the aim is to make it easier for the customer to pay them, but it's also risky. Using a secure portal is the best solution.
When accepting sensitive information over the phone, be sure to have phone validation procedures in place to ensure the person you're talking to is an authorized representative of the supplier.
Validating and securing
When you're setting up a relationship with the supplier for the first time, AP should work with procurement to validate all the contract information. They might also want to use a third-party tool or service provider that connects into banking networks to validate and authenticate account identity and ownership. There are many such tools on the market.
If you're switching an existing supplier from check to ACH, you may already have some visibility into their banking data as another way you can cross-check their information before making changes.
Once validated, information must be securely stored. Where housed on paper, companies should implement a level of physical protection such as locked in a file cabinet, but we know files are often kept in a folder on someone's desk or—in the age of remote work—someone's car or home. Many companies keep supplier data in spreadsheets. If someone were to intercept that information, it would be in peril.
When storing supplier banking information in an ERP system, ensure access is tightly controlled through strict permissions workflows and frequent audits of current user activity.
As traditionally check-heavy companies rush to meet the demands of electronic payments, they may miss critical steps necessary to safeguard supplier banking data and should partner with their IT, security and compliance teams to build a robust system of access, monitoring, and review. Outsourcing the responsibility to a payment provider is another consideration to make where resources and skills are limited.
With the pace of change and new security threats upon us, focus on worst-case scenarios may leave you feeling helpless and overwhelmed. Preparation is key to successfully managing change. Identifying these scenarios will help you predict and prepare for the challenges and pitfalls ahead as you safely transform your accounts payable flow.