Strategies for Protecting Against Vendor Payment Fraud

11 October 2018 Manufacturing Industry Advisor Blog
Author(s): Nicholas J. Ellis

Cybercrime is an ever-increasing threat from which manufacturers are not immune. Although reliable statistics are not available, one particular type of scheme that seems to be on the rise is vendor payment fraud.  In cases of vendor payment fraud, the fraudster poses as an existing supplier and provides the manufacturer with seemingly legitimate instructions changing the account payment information.  The exact means by which vendor payment fraud schemes are perpetrated can take many forms.  However, the most sophisticated and hardest to detect schemes often involve “hacking” into the vendor’s systems and sending a seemingly legitimate email or other instruction directing the change.

Unless properly protected against, vendor payment fraud leaves the manufacturer facing an angry supplier that has not received payment, despite the fact that the manufacturer is out of pocket for money still claimed by the supplier.  Manufacturers often must face the difficult choice of making double payments or risking supply disruptions.

It is impossible to eliminate all risks posed by cybercrime. However, there are certain simple steps that manufacturers can take to mitigate the risk posed by vendor payment fraud schemes:

Train and Advise Employees Regarding the Risk

The first line of defense for avoiding vendor payment fraud (and many other kinds of fraud) is a vigilant, well-trained, work force.  Most individuals are wary of unsolicited emails concerning their own personal finances.  That same level of caution is not always present when dealing with work-related matters.  Employees should be made aware of potential fraudulent schemes and should employ a healthy level of skepticism regarding any suspicious or unexpected emails seeking to change existing payment instructions.

Verify Changes to Payment Instructions

Many payment fraud schemes can be avoided by a policy requiring that any change in payment instructions received electronically be verified through a phone call to the appropriate supplier contact person, or other form of manual verification.  In cases in which manual verification for all changes may not be practical, requiring verification for suppliers over a designated annual spend still can go a long way toward risk mitigation.

Include Appropriate Contractual Protections

Manufacturers should seek to include provisions in their contracts addressing cybersecurity issues.  At a minimum, manufacturers should require that all suppliers and vendors employ appropriate measures to protect their systems from unauthorized access.  In particular, manufacturers should include provisions in their contracts to expressly provide that suppliers are responsible for the integrity of their own systems and bear the risk of any lost or misdirected payment resulting from a breach.

Employ Appropriate Security for Internal Systems

Finally, manufacturers should ensure that their own systems are properly protected.  Employing such protections is a sound business practice for many reasons.  In the context of a vendor payment fraud issue, it will be difficult for a manufacturer to argue that a vendor should have employed better security, and therefore should be responsible for a loss, if the manufacturer does not employ the same or equivalent protective measures for its own systems.

The risks posed by vendor payment fraud and other forms of cybercrime are not going away any time soon, and are likely to increase.  Manufacturers should take steps to mitigate the risks posed by these issues before they become a victim.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services