How To Identify And Prevent Vendor Impersonation Scams

Vendor impersonation scams (fraud), also known as business email compromise (BEC) scam, is a type of cyberattack in which fraudsters impersonate legitimate vendors to trick employees into making unauthorized payments. These scammers often use sophisticated techniques to make their emails appear authentic, making it difficult for employees to distinguish them from real communications.

Here’s a simplified definition of vendor impersonation scams:

Vendor impersonation scams are fraudulent attempts to divert payments from legitimate vendors to the scammers’ own accounts.

Scammers typically target companies with strong financial relationships with their vendors, as these companies are more likely to trust urgent payment requests without proper verification. They often use email spoofing techniques to create emails that appear to come from the legitimate vendor, using similar email addresses, logos, and formatting.

The emails typically contain instructions to change payment information, such as the bank account details or wire transfer instructions. They may also include urgency and secrecy to pressure employees into making the payment without proper verification. Once the payment is made, the scammers divert the funds to their own accounts, often located overseas, and it becomes difficult or impossible to recover the money.

How does vendor impersonation fraud work?

Vendor impersonation fraud, a type of business email compromise (BEC) scam, involves criminals impersonating legitimate vendors to redirect payments to fraudulent bank accounts. They often use tactics to make their emails appear authentic to deceive unsuspecting employees responsible for making payments.

Here’s how vendor impersonation fraud typically works:

1. Scammers Research and Target: They gather information about legitimate vendors, including their names, email addresses, contact details, and payment information. This information is often obtained through social media, public records, or by accessing corporate databases.
2. Crafting Spoofed Emails: Fraudsters create emails that mimic the legitimate vendor’s communication style, using similar email addresses, logos, and formatting. They may even include urgent instructions or reference specific invoices or purchase orders to increase the likelihood of their requests being taken seriously.
3. Targeting Invoices and Payment Requests: They target finance or accounts payable departments, sending emails requesting changes to payment information. The emails often include links to fake websites or phone numbers that mimic the legitimate vendor’s infrastructure to collect payment information.
4. Misdirection and Secrecy: Fraudsters often encourage urgency and secrecy, urging recipients to make the payment immediately and not to disclose the change to anyone else. This creates pressure and makes it more challenging for unsuspecting employees to verify the legitimacy of the request.
5. Intercepting Payments: Once the payment information is provided, the scammers divert the funds to their own fraudulent bank accounts, often located overseas. By the time the fraud is detected, the money is difficult or impossible to recover.

Red Flags to Detect Vendor Impersonation Fraud:

1. Suspicious Email Addresses: Check for slight variations in email addresses, such as typos or missing characters. Legitimate vendors typically use consistent email addresses.
2. Unfamiliar Sender or Addressee: Be wary of emails from unknown senders or emails addressed to someone else in the finance department. Legitimate vendors usually communicate with the usual contact person.
3. Urgent Payment Requests: Avoid making payments under pressure. Legitimate vendors rarely demand immediate payment changes without prior communication or official authorization.
4. Misleading Links or Phone Numbers: Verify links and phone numbers provided in the email to ensure they match the legitimate vendor’s official website or contact information.
5. Poor Grammar or Writing Style: Check for grammatical errors, inconsistencies in formatting, or unusual language that doesn’t align with the legitimate vendor’s communication style.

What are the signs of vendor impersonation fraud?

Vendor impersonation fraud, a type of business email compromise (BEC) scam, can be difficult to detect as it involves criminals impersonating legitimate vendors to divert payments to fraudulent bank accounts. However, there are several red flags that can help you identify and prevent this type of fraud.

Here are some of the signs that you may be dealing with a vendor impersonation scam:

1. Suspicious email address: Check the email address carefully. Even a slight variation, such as a typo or missing character, could indicate a spoofed email. Legitimate vendors typically use consistent email addresses.
2. Unfamiliar sender or addressee: Be wary of emails from unknown senders or emails addressed to someone else in the finance department. Legitimate vendors usually communicate with the usual contact person.
3. Urgent payment requests: Avoid making payments under pressure. Legitimate vendors rarely demand immediate payment changes without prior communication or official authorization.
4. Misleading links or phone numbers: Verify links and phone numbers provided in the email to ensure they match the legitimate vendor’s official website or contact information. Scammers often use fake links or phone numbers to redirect you to their malicious websites or collect payment information.
5. Poor grammar or writing style: Check for grammatical errors, inconsistencies in formatting, or unusual language that doesn’t align with the legitimate vendor’s communication style. Legitimate vendors typically maintain high standards in their written communication.
6. Request for payment outside of normal procedures: If the vendor requests a payment method that is not normally used, such as a wire transfer to an unfamiliar account, be cautious. Legitimate vendors typically stick to established payment methods.
7. Requests for confidential or sensitive information: Scammers may ask for confidential information, such as bank account numbers or credit card details, in the guise of verifying payment details. Legitimate vendors would not ask for such sensitive information via email.
8. Requests to change payment information without prior notice: Be wary of emails requesting a change in payment information without prior notice or official authorization. Legitimate vendors typically communicate such changes in advance.
9. Requests to use a non-standard payment form or invoice template: Scammers may use a different payment form or invoice template than the legitimate vendor’s standard format. Compare the details to the vendor’s usual invoices.
10. Requests for immediate action or secrecy: If the email instructs you to act urgently or not to discuss the request with anyone else, it could be a red flag. Legitimate vendors would not discourage communication with their finance department.

By being vigilant and checking for these signs, you can significantly increase your chances of detecting and preventing vendor impersonation fraud.

How Can You Protect Your Company From Vendor Impersonation Fraud?

Vendor impersonation fraud, a type of business email compromise (BEC) scam, has become increasingly common as scammers become more sophisticated in their techniques. To protect your company from this type of fraud, it is important to take proactive measures to educate employees, implement strong payment policies, and utilize security tools.

Employee Training and Awareness

1. Educate employees about vendor impersonation scams: Provide regular training to employees on how to identify suspicious emails and verify payment requests with the vendor directly. Emphasize the importance of not making payments under pressure or disclosing sensitive information via email.
2. Promote a culture of skepticism: Encourage employees to question the authenticity of any emails that request urgent action or ask for confidential information. Remind them that legitimate vendors would not typically demand immediate changes to payment information without prior communication.
3. Establish a reporting mechanism: Implement a clear process for employees to report suspected fraud attempts. This could include an anonymous reporting hotline or a secure online portal.

Establish Clear Payment Policies

1. Require all payments to be made through official channels: Prohibit employees from making payments via wire transfers or other methods that are not controlled by the company. All payments should go through the established payment system, such as the finance department or a designated accounting software.
2. Verify all payment requests with the vendor directly: Mandate that employees verify the legitimacy of any payment requests before processing them. This includes calling the vendor, checking the vendor’s website for official contact information, and comparing the payment details to the vendor’s usual invoices.
3. Establish a list of authorized vendors: Maintain an up-to-date list of approved vendors and their authorized representatives. This will help employees identify any suspicious emails or requests from unauthorized sources.
4. Implement a multi-step authorization process: For large or high-value payments, require multiple levels of authorization from authorized personnel within the finance department. This can help prevent unauthorized payments from being processed.

Utilize Payment Verification Tools

1. Consider using third-party payment verification services: Explore solutions that can cross-check payment requests against known fraud patterns and verify vendor authenticity. These tools can provide an additional layer of protection against sophisticated scams.
2. Monitor payment activity closely: Regularly review payment history and transaction details to identify any anomalies or patterns that could indicate fraud. Implement alerts for unusual payment amounts or changes to payment destinations.
3. Protect company email system: Implement robust email security measures, including spam filters, phishing filters, and regular security audits. Educate employees on phishing techniques and how to identify and report phishing attempts.

Additional Measures

1. Maintain strong physical security: Protect your company’s physical premises and data storage facilities to prevent unauthorized access to sensitive information.
2. Implement data loss prevention (DLP) measures: Enforce DLP policies to prevent the unauthorized disclosure or exfiltration of sensitive data, including payment information.
3. Stay informed about fraud trends: Subscribe to industry newsletters and fraud alerts to stay updated on the latest tactics and techniques used by scammers.
4. Regularly review and update your security policies: As fraud methods evolve, review and update your security policies, training materials, and procedures to reflect the latest threats.
5. Conduct regular fraud awareness campaigns: Host periodic training sessions or webinars to reinforce fraud prevention principles and address any new concerns among employees.

By implementing these measures, you can significantly reduce your company’s vulnerability to vendor impersonation fraud and protect your valuable financial assets.

Report Vendor Impersonation Scams

There are several places where you can report vendor impersonation scams. Here are a few of the most common options:

The Federal Trade Commission (FTC): The FTC is a government agency that protects consumers from fraud and unfair business practices. You can file a complaint about a vendor impersonation scam online at https://www.ftc.gov/media/71268 or by calling 1-877-FTC-HELP (382-4357).

The FBI’s Internet Crime Complaint Center (IC3): The IC3 is a partnership between the FBI and private industry that provides a central reporting mechanism for cybercrime. You can file a complaint about a vendor impersonation scam online at https://www.ic3.gov/ or by calling 1-800-CALL-FBI (225-5324).

The Anti-Phishing Working Group (APWG): The APWG is a non-profit organization that works to combat phishing attacks. You can report a phishing email to the APWG by forwarding it to https://apwg.org/reportphishing/ or by visiting the APWG’s website at apwg.org.

Your local law enforcement agency: If you have been the victim of a vendor impersonation scam, you should also report it to your local law enforcement agency. They may be able to investigate the scam and help you recover your money.

In addition to these reporting options, you can also report vendor impersonation scams to your bank or credit card company. They may be able to help you cancel the fraudulent payment and protect your accounts from further fraud.