Security best practices your A/P staff needs to follow to prevent fraudulent payments

Your A/P security best practices probably include a confirmation phone call whenever a vendor emails you that their bank info’s changed.

But because fraudsters are becoming more skilled at fooling businesses like yours, it’s important to take the time to verify that whoever is requesting the change is, in fact, your vendor and not a criminal impersonating them.

In an IOFM webinar, A/P consultant and trainer Debra Richardson said that a good first step is comparing the info submitted with the data in your master vendor file to see if the existing bank information, taxpayer identification number and remittance address all match. (Insisting that all vendors fill out an official, uniform vendor application form to submit these changes is a big fraud deterrent.)

When you get the person that’s requesting the change on the phone, your vendor security questions need to include:

• What are the last four digits of the new bank routing number and the new account number? It’s not a bad idea to see what happens when you enter the routing number on the Federal Reserve’s website, frbservices.org.
• What are the last four digits of the current/former bank routing number? Fraudsters are less likely to have this information, and if the person can’t give you those numbers, it’s a red flag that they probably don’t have the authority to make such critical changes to the company’s payment method.

Because vendors may not want to give out full account and routing numbers over the phone, the last four digits are sufficient, she said.

Follow-up security best practices

Another solid security best practice is doing what Amazon, Hulu and Netflix do when there’s a user account change: Send out a notification that you made a change to their vendor record. Be sure to tell them to call you right away if they didn’t initiate the change.

A security best practice that Richardson recommended for any vendor that’s changed their remittance info within the last 90 days is picking a threshold amount, such as $5,000 or $10,000.

If a payment exceeds that threshold, the transaction details need to be reviewed. And as soon as the payment is released, A/P should make a prompt follow-up call to the vendor to confirm they received the payment.

A related pro tip from the National Security Alliance to pass along to your A/P staffers: Don’t process or respond to vendor email requests using your phone.

Here’s why: The screen is so small that signs of attempted fraud, such as a spoofed email account address, can get missed.

Also, be mindful about forwarding these messages. If you forward a fake email to another team member, they’re likely to assume you did your due diligence to check the request wasn’t fraudulent.