GFOA Advisories identify specific policies and procedures necessary to minimize a government's exposure to potential loss in connection with its financial management activities. It is not to be interpreted as GFOA sanctioning the underlying activity that gives rise to the exposure.
GFOA recommends that governments use electronic payments to improve efficiency, security, and tracking – but without appropriate internal controls, electronic payments are still at risk. Fraud can affect all sizes of governments and include both large and small transactions. As more governments move to electronic payments, electronic payment fraud has become more prevalent, and as protections have evolved to better guard against vendor fraud, fraudsters have gotten better at avoiding those measures.Vendor fraud is often associated with submitting fake documentation to change the bank routing and account numbers for electronic vendor payment deposits. These schemes often involve multiple hacks and may attempt to compromise vendor information, along with e-mail or other forms of identification, in an attempt to disguise the fraudulent activity. For example, fraudsters might hack e-mail or use a fake e-mail domain to make themselves look like legitimate representatives of a vendor.
GFOA recommends that governments put safeguards and internal controls in place to mitigate the risk of fraudulent vendor payment activity.
Some strategies to help mitigate risk are listed below. No one strategy will stop all types of fraud, but implementing several strategies will help create a system of controls that better mitigates the risk of fraud. Additionally, GFOA recommends that governments review all control procedures to ensure that they are current and relevant to current threats.
- Do not make any changes to vendor information, particularly payment addresses and/or bank account information, without carefully reviewing the information provided and corroborating it through other sources.
- Investigate applicable insurance policy coverage to understand which types of risks are covered. Contact your broker/dealer for additional information and procure supplemental coverage if needed.
- Coordinate with your information technology team to establish and maintain up-to-date system security and e-mail spam filters.
- Consider the options provided by third parties, such as using a bank to manage and store vendor account and other sensitive information. If you choose this option, consider requesting a SSAE 16 system audit report from the provider.
- Involve additional staff members in the process of changing vendors. Proper segregation of duties helps ensure that the individual who enters information into the system or approves the change is not the same person who conducts due diligence on the vendor changes.
- Train and empower accounts payable and vendor staff to routinely ask questions of both vendors and department staff.
- Understand the practices of fraudsters and the ways in which their practices evolve with technology so you can be prepared for ever-changing assaults. Read and learn from multiple sources.
- Make sure that staff and outside departments understand the importance of prioritizing outstanding balance inquiries from vendors and resolving them quickly, following up on questions via telephone instead of e-mail. Payment questions need to be addressed as quickly as possible because they may uncover vendor or payment fraud. Again, insist that staff use telephones, faxes, or the postal service for correspondence rather than e-mail to address issues with vendors. (If the government or vendor has been recently hacked, an e-mail response will likely go to the fraudster rather than the vendor.)
- Have the vendor manager or a supervisor review all vendor changes for a given day, week, or month. Provide the paperwork for vendor changes to the manager, along with a system report. Use this review process as a training tool to make your vendor staff more aware of risk.
- Do not rely on e-mail to confirm changes to vendor payment information. Fraudsters often hack the e-mail of one or both parties involved, so confirm changes by telephone instead.
- Using information you already have in your records, call the vendor to verify the existing account information and the information to be changed.
- Do not give out vendor information over the phone. When confirming changes, provide staff with a script to use and always ask vendors to identify both old and new account information. The vendor should provide the information without assistance.
- Conduct an Internet search or validate the street address and phone numbers provided against reputable databases. Do not call a new phone number to verify changes; you may be talking to the fraudster.
- Before releasing payments, use an auditing tool to compare recent vendor account changes with check registers for a given check run. Follow up with the vendors included in the check run to verify account or address changes verbally before releasing payments. Incorporate this process into your daily pre-check run process.
- When using systems that provide online tools vendors can use to update their own information, require that they use strong passwords, and consider the verification strategies listed above to confirm all changes.
- Vendor self-service capability should include an approval or notification process for staff and audit trail reporting.
Form/Information Change Strategies
- Remove vendor change forms from your government’s website. Have the vendors contact government staff directly for forms.
- Revise your forms so they require vendors to provide both old and new bank routing and account numbers or billing addresses when requesting a banking change or a payment mailing change. A fraudster may have this information and use it to complete your form, but any additional information you request creates another barrier to keep him or her from getting through your internal controls.
- Beware of any vendor form changes that ask for revisions to more than one item in its account. For example; a vendor may change bank accounts, but is it also likely to request changes to its street address, contact, and e-mail address at the same time? Also compare the vendor domain name with new domains provided on the form, and use the Internet to verify all changes.
- Look closely at the information and documentation provided by the vendor, such as a very low check number with a small number of digits. Is the paperwork provided what you’d expect to see from a large vendor with many business transactions?
- Is the vendor local but updating its account to use an international bank? Is the language or wording of an e-mail unusual?
Follow Up Strategies
- If you are aware of fraudulent account routing and numbers, notify your bank and law enforcement. They may already be involved in a related investigation and might be able to help.
- Once you become aware of a fraudulent account, scrub your vendor file data for other vendor accounts that might use the same bank routing number or account number. Inactivate any questionable vendor accounts immediately, until you are satisfied that the vendor has resolved the issue.
- Board approval date: Friday, September 22, 2017