Vendor fraud is an expensive problem for many businesses. The FBI’s Internet Crime Complaint Center reported that vendor fraud was the number one cyber fraud in terms of losses — more than $3 billion for companies in the United States as of 2019. Since the pandemic, vendor fraud and invoice fraud attempts have only increased.
Vendor fraud can be prevented with the right compliance management approach. Regulations like the Sarbanes-Oxley Act of 2002 aim to protect businesses against basic vendor fraud schemes. This Act and other regulations require companies to have a comprehensive approach to vendor management to be compliant and avoid fines.
Nevertheless, many businesses struggle to completely eliminate vendor fraud altogether. Today’s best practices for vendor management implement advanced Know Your Vendor software, elevating basic vendor compliance to an approach that is smarter, faster, and more reliable.
The risk of vendor fraud
Vendor fraud is one of the most prevalent types of fraud, according to the American Institute of CPAs. Vendor fraud is a category of fraud that typically involves improper payments to real or made-up vendors. Vendor fraud schemes manipulate a company’s accounts payable for personal gain.
Vendor fraud generally falls into three main categories:
- Fraud is committed by an internal employee or group of employees against the organization;
- Fraud is committed by an outside party without internal support
- Fraud is committed via a coordinated effort between an external party with help from an internal employee or group of employees.
Vendor fraud takes many forms. False vendor fraud refers to any scheme that is completed by creating fake vendors. The fraudster can send invoices to companies asking for payments on a service or good that was never actually provided.
For instance, duplicate invoicing occurs when a vendor sends duplicate invoices to a customer — i.e., two invoices for the same goods or services provided. In a typical invoice fraud scheme, hackers convincingly spoof the email address of a known vendor and send an invoice to be paid into the hacker’s account. The accounts payable team then (knowingly or unwittingly) pays the invoice to the criminal, rather than the actual vendor.
During the pandemic, this fraud risk increased as businesses had to quickly adopt new ways of working that often meant forgoing normal due diligence procedures. Research shows that a typical small business pays around 450 invoices every month with a 1.29% duplication rate – about six duplicate invoices a month. The average amount on those invoices was $2,034, meaning that these small businesses are losing about $12,000 per month if each duplicate invoice is paid.
Of course, not every duplicate invoice is fraudulent; some are simply the result of human error. But, spotting invoice fraud and preventing it can have a significant impact on your bottom line.
Vendor fraud red flags
Spotting vendor fraud isn’t always easy. Like many other forms of fraud, false vendors are constantly evolving. The AICPA recommends monitoring for these common vendor fraud red flags:
- When multiple invoices are paid to the same vendor on the same date or within the same payment cycle; look for duplicate invoices specifically
- Invoices that are authorized for payment during times and dates outside of normal operating business hours
- Invoiced amounts don’t match the agreed-on contract terms; for instance, a total payment made to a vendor exceeds the contractual limit.
Other types of vendor fraud involve business email compromise and email attacks, which are much harder to spot. Mitigating these less obvious signs of vendor fraud requires a comprehensive vendor compliance management approach.
What is vendor compliance management?
Vendor compliance management is an approach that enables your business to identify, mitigate, and better control the risks associated with working with external suppliers. Vendor compliance management is a relatively broad category; it’s required for any organization that’s subject to HIPAA, PCI DSS, NY CRR 500, and SOC 2. However, each of these regulations have different compliance standards; therefore, compliance management encompasses everything from conducting strict background checks to implementing internal payment controls.
Vendor compliance management often involves establishing a Know Your Vendor (KYV) program. At the most basic level, KYV verifies a vendor or institution’s identification, typically by verifying tax identification numbers and screening against sanction lists.
Historically, KYV programs required a fair amount of manual effort to implement. An employee or team would be responsible for onboarding vendors, managing spreadsheets for tracking, manually completing individual applications, and creating repositories of vendor information. As far as the onboarding process is concerned, this is generally a basic questionnaire that the vendor must complete.
Vendor compliance management today has improved thanks to machine learning and artificial intelligence. These best practices for vendor management use cutting-edge software to gain deeper insight into vendor activities.
Best practices for vendor management
Invoice fraud prevention and mitigating vendor fraud requires a multi-layered approach, starting with the right tools. Here are some best practices for vendor management that companies of all sizes should implement.
1. Strengthen and formalize your supplier onboarding process
A strong Know Your Vendor program can help lower the risk of working with a fraudulent vendor. Fraud.net offers the tools necessary to create a modern KYV approach. Our effective KYV framework is founded on a disciplined, data-driven type of risk analysis.
Leveraging Application AI, our solution seamlessly integrates with a variety of platforms offered by specialized providers, empowering your company to gain the insight necessary to fight vendor fraud. Our solution verifies bank account and address information, Tax Identification Numbers, and other reviews that help validate the identity and legitimacy of new potential vendors before you begin the vendor onboarding process.
2. Reduce the risk of insider threats
Remember, two ways that vendor fraud or invoice fraud is carried out successfully requires the involvement of internal parties. The average cost per incident with an insider component is $412,000, a sum that puts many companies completely out of business.
Fraud.net’s suite of tools helps reduce the risk of insider threat by generating transaction and account-level audits, creating compliance processes, establishing workflows that maintain accountability, and managing remediation plans when necessary. These tools can help reduce duplicate invoices and create a more secure, resilient environment. Because Fraud.net’s suite of tools uses AI, these solutions can run without day-to-day manual intervention.
3. Verify vendors on your system
Worst-case scenario, your company is the victim of a spoofing or phishing attempt. Prevent someone from posing as a vendor and accessing your system to steal information with Fraud.net’s Application AI. This tool provides a real-time, risk assessment of applications to verify legitimate customers and vendors while stopping fraudulent ones before they can cause further harm.
Application AI solves for a range of risks, including:
- Duplicate accounts
- Fake accounts
- Synthetic identities
- Bots
- AML & KYC
- Credit checks
Organizations should constantly scan and update their internal controls to ensure that no unknown parties posing as vendors have gained access to valuable information.