Cybersecurity and Fraud Protection
How to Know: Is My New Vendor Legitimate?
Organizations can improve their vendor validation procedures by reviewing these lessons learned from the escalation of reported COVID-19 vendor fraud attempts.
This article was also published in Commercial Banking's magazine, Cybersecurity: Designing for Privacy.
Organizations across the globe have mobilized extraordinary resources in response to the COVID-19 pandemic, and the resulting urgent need for medical equipment and supplies has created an opportunity for fraudsters.
Cybercriminals often use social, economic or political turmoil to escalate cyber and fraud schemes. As the health crisis has expanded globally, many organizations have needed to source medical equipment and supplies from new vendors and often have found themselves the victims of fraud attempts.
Fraudsters look for opportunities to deceive victims using social engineering attacks delivered through email, phone calls and text messages. As COVID-19 first spread, criminals continually adapted tactics to affect a wide range of organizations. Some examples include business email compromise attacks that used the health emergency as an excuse for fraudulently changing payment instructions, as well as pandemic-themed phishing emails or smishing scams that tricked victims into opening malicious attachments or links that promised information on government payments or free medical supplies.
“Criminals seize any opportunity to launch an attack and will use any means necessary, whether by email or phone,” said Alec Grant, Head of Fraud for Commercial Banking. “Fraudsters are everywhere and take advantage of lapses in company best practices or security protocols.”
Healthcare and government were among the first industries impacted as cybercriminals escalated attacks. In March, the FBI issued a warning about the heightened potential for fraud by new vendors selling life-saving medical equipment. As the threat spread across other industries and small businesses, the tactic remained the same: scammers pretended to be new vendors claiming they could provide critical medical supplies. The criminals promised to ship supplies quickly once they received a substantial down payment. Victims made the payment, but the supplies never came and the vendors disappeared. In some cases, victims were approached by seemingly trustworthy brokers who had unknowingly worked with criminals who convinced all parties that they could deliver the needed supplies.
Alec Grant, Head of Fraud, Commercial Banking
Now, as jurisdictions begin to lift social restrictions and stay-at-home orders, organizations across industries are considering return to the office (RTTO) protocols, and many will need to purchase and keep on hand a stock of personal protective equipment, such as masks and gloves. As organizations implement their RTTO plans, the threat for additional fraud schemes increases not only for medical supplies, but for any purchases as fraudsters look for new opportunities to strike.
Perform and Prevent
By learning from the escalation of reported COVID-19 fraud attempts, organizations can be better prepared to adapt validation procedures to help prevent any future fraud attempts. Performing due diligence and maintaining security and authentication protocols is crucial to help stop fraud attempts. It is important to be aware of any changes in vendor information or payments, especially when responding to an urgent request.
You can help stop fraud by taking these steps:
- Remain vigilant, especially with any new vendor, and follow your organization’s established due diligence procedures to approve vendor relationships.
- Know your sources. Research any potential new business partners using public databases to search names, addresses, ownership structure, tax information, articles of incorporation, business licenses and other available information to verify the validity of a company.
- Consider hiring a professional consulting firm or using paid online tools that specialize in investigations and due diligence services to assist with vendor validation.
- Review any invoices and validate any information provided, such as phone numbers and email addresses.
- Follow your accounts payable internal controls over the approval of invoices for payment and approval of the payment address.
- Scrutinize any email that requests a payment, changes payment instructions or changes contact information by calling the requestor directly to verify.
- Investigate any transaction that requires a full or substantial down payment before the product can be shipped. Clients should consider identifying ways to verify the supplier and goods provided.
- Review medical supply manufacturers’ websites for information related to the purchase of critical supplies, such as N95 masks and other in-demand personal protective equipment.
- Report any suspicious activity involving a new vendor to the FBI.