Check Before You Pay Vendors

Organizations of all kinds continue to fall victim to cyber-fraud involving payments to vendors. The Iowa State Auditor recently drew attention to fraudsters targeting school districts. In the fraud scheme, as we have previously covered, fraudsters will impersonate an organization’s vendor in order to trick the organization into sending payments to fraudsters instead of the real vendor. In some versions of the scheme, fraudsters may have access to a vendor’s email and may correspond with an organization on behalf of the vendor. In another version, fraudsters will create spoofed email addresses and letterhead that appear similar to the vendor without actually having access to the vendor’s systems.

The Auditor drew attention to the latter variety. According to reports, the school districts received emails that appeared to be similar to the emails from the legitimate vendor. In either case, the end result is the same. Organizations send payment to the fraudster’s bank account instead of the real vendor. The fraud is usually discovered a short time later when the vendor inquires about payment.

The law governing wire transfers makes this scheme particularly difficult to stop. When submitting a wire transfer to their banks, organizations identity the beneficiary account name and number along with a routing number. Many organizations assume that if there is a discrepancy between the name on the wire transfer and the account at the beneficiary bank that the bank will reject the wire. However, under the Uniform Commercial Code (“UCC”) if there is a discrepancy between the name on the account and the account number, bank automated systems may disregard the name identified on the wire and deposit funds into the identified account.

As a result, fraudsters are able to provide organizations with payment instructions that appear legitimate. Fraudsters will provide the real vendor’s name as the beneficiary of the wire, but will provide a number for an account that belongs to fraudsters. When the beneficiary bank’s automated system receives the wire and the name on the transfer does not match the name on the account, the bank will deposit the money based on the account number. Fraudsters can then walk into the bank and withdraw the funds, because the fraudsters are the owner of the account.

As the Auditor recommends, vigilance is important. Organizations, and in particular accounting staff, should pay close attention to any request from a vendor to change payment instructions. If an organization receives such a request the organization should call the vendor at a phone number known to belong to the vendor, not a phone number provided in the email requesting the change.