Heads Up Vendor Master File Change Controls: When Technology and Vendors Collide

Over the past year, we have seen a rise in vendor-related wire fraud within organizations whereby unsuspecting accountants have wired large sums of money to inappropriate parties. In some cases, small anomalies have alerted organizations to the potential fraud, but in others, we have seen six figure payments go out the door with little to no chance of recovery. While each case has been slightly different, two consistent themes have emerged:

• All instances involved a compromise of either the organization’s or their vendor’s Office 365 email system, and
• Each instance could have been prevented had proper internal controls been applied on a timely basis.

When considering these fraudulent activities, we have put together a brief list of considerations, related to vendor payments, for your organization to consider.

1. NEVER process a change in payment instructions for a vendor without verifying the change verbally: In a couple of cases, we have seen wire instructions requesting a change in bank and bank accounts emailed to an employee. Whether received by email or US postal service, employees should reach out to their vendor liaison using the contact information in the organization’s system (not the phone number provided in the change notification). The change should not be processed without verbal confirmation.
2. Ensure payments, especially those exceeding a defined threshold, are approved by a person with requisite knowledge of the payment: Bad actors trying to solicit payments, especially those who have infiltrated an organization’s email system, may have inside information as to how wire transfers are made. Enhancing your internal controls to include a second approval, or verbal confirmation of the payment being made for payments over a certain amount, can limit this risk substantially.
3. Reconcile your cash accounts on a timely basis: In the larger frauds we have seen, one commonality is that the frauds could have been detected earlier had the cash accounts been monitored closely. Unusually large payments or several payments made to the same vendor in a short period of time, whether by check or wire, should be flagged and investigated for potential fraud.
4. When in doubt, investigate: Bad actors are getting better and better at creating phishing scams that are personalized, specific and believable. If your organization has not yet implemented cybersecurity awareness training, specifically covering the risk of spear phishing, now is the time.

While these may seem like basic considerations, they are important reminders to pass along, especially during the COVID-19 work-from-home period. As always, the TRAC team is here to support you. If you have any questions or would like to discuss your specific situation, please contact Michael Camacho or Samantha Kerwin.

Michael Camacho, CPA, CIA Partner mcamacho@citrincooperman.com	Samantha Kerwin, CPA, CGMA, MBA Director skerwin@citrincooperman.com