Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud. In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing the account payment information. The exact means by which vendor payment fraud schemes are perpetrated can take many forms. However, the most sophisticated and hardest to detect schemes often involve “hacking” into the vendor’s systems and sending a seemingly legitimate email or other instruction directing the change.
Unless properly protected against, vendor payment fraud leaves the manufacturer facing an angry supplier that has not received payment, despite the fact that the manufacturer is out of pocket for money still claimed by the supplier. Manufacturers often must face the difficult choice of making double payments or risking supply disruptions.
It is impossible to eliminate all risks posed by cybercrime. However, there are certain simple steps that manufacturers can take to mitigate the risk posed by vendor payment fraud schemes:
The first line of defense for avoiding vendor payment fraud (and many other kinds of fraud) is a vigilant, well-trained, work force. Most individuals are wary of unsolicited emails concerning their own personal finances. That same level of caution is not always present when dealing with work-related matters. Employees should be made aware of potential fraudulent schemes and should employ a healthy level of skepticism regarding any suspicious or unexpected emails seeking to change existing payment instructions.
Many payment fraud schemes can be avoided by a policy requiring that any change in payment instructions received electronically be verified through a phone call to the appropriate supplier contact person, or other form of manual verification. In cases in which manual verification for all changes may not be practical, requiring verification for suppliers over a designated annual spend still can go a long way toward risk mitigation.
Manufacturers should seek to include provisions in their contracts addressing cybersecurity issues. At a minimum, manufacturers should require that all suppliers and vendors employ appropriate measures to protect their systems from unauthorized access. In particular, manufacturers should include provisions in their contracts to expressly provide that suppliers are responsible for the integrity of their own systems and bear the risk of any lost or misdirected payment resulting from a breach.
Finally, manufacturers should ensure that their own systems are properly protected. Employing such protections is a sound business practice for many reasons. In the context of a vendor payment fraud issue, it will be difficult for a manufacturer to argue that a vendor should have employed better security, and therefore should be responsible for a loss, if the manufacturer does not employ the same or equivalent protective measures for its own systems.
The risks posed by vendor payment fraud and other forms of cybercrime are not going away any time soon, and are likely to increase. Manufacturers should take steps to mitigate the risks posed by these issues before they become a victim.