How to Protect Your Institution from Fraud and Fake Suppliers
How JAGGAER tools can help schools, universities, and other organizations protect themselves against scams, fraud, and fake suppliers.
In 2017, the ongoing security battle against scammers reached a new level on a number of fronts. The year saw a notable increase in a particular type of scam: nefarious actors posing as vendors to trick organizations into paying them instead of the proper suppliers.
As we approach mid-year 2018, we thought it a good time to delve a little deeper into this topic, providing insights into what to look for and how you can protect your institution from similar scams.
Matt Boge, JAGGAER’s Contract Lifecycle Management (CLM) expert, explains how you can protect yourself.
Q: How long have fake supplier phishing attacks been happening? Are they becoming more frequent?
MB: Vendor account scams like this have been around for some time, but they’ve increased in both frequency and sophistication in recent years. In 2017, the FBI identified this activity among a list of similar scams that organizations should watch out for. And, while the most high-profile known cases of this type of phishing have been at universities, theoretically any organization that procures goods and services could be a target.
Q: What has made these attempts successful?
MB: Scammers aren’t going after a technology-based vulnerability, but a human one. They’re getting around technical hurdles by tricking someone who is already within a customer organization to unknowingly do their work for them.
These scams have two flavors:
- An outside actor poses as a supplier and convinces an internal employee to change important details in the supplier’s data—usually a bank account–so that payments are funneled into a fraudulent account and it looks from the customer’s end that payment has been made.
- Someone who is already a part of the customer organization—usually someone who has access to supplier data—alters the payment data in the system themselves, with the intent of having payments made to accounts they shouldn’t be heading to.
Q: How can an organization do a self-audit, assessing their vulnerability to such a scam?
MB: The most important thing organizations can do right away is to make sure their suppliers have the ability to make their own changes in the procurement system. In other words, verify that the people who are supposed to be paid are the ones making changes.
Other quick, but effective, first steps in protecting your company include establishing internal protocols for authenticating requests to change sensitive information, such as verifying these requests with known individuals at the organization in question—preferably via a phone call. Teaching employees on how to tell whether a website domain is authentic is also valuable. Domains can be spoofed and knowing what to look for can be the quickest way to tell when something is amiss.
Q: Although phishing and social engineering attacks typically go after human vulnerabilities, can technology still protect against this?
MB: Absolutely. We’ve built the JAGGAER Supplier Management solution with this type of security in mind. Any supplier management tool needs to address potential security vulnerabilities in a thorough, layered approach that prioritizes visibility.
Suppliers should have the ability to update their data directly from the vendor management portal so that any supplier requests for the customer will set off an alert. A secure tool should allow suppliers the ability to change only data that the customer has specifically identified as “editable” in the portal and prevent changes until the customer has reviewed and approved them and supplier information has been properly verified.
Automated notifications add critical visibility to a procurement system. If a supplier is notified that a payment or other sensitive information has been modified, it’s impossible for a scammer to change that key data without someone knowing about it.
In order for this process to work, it’s important to account for a separation of duties within the department. This means making sure those who edit information are not the same individuals authorized to approve that same information. This is especially important in preventing scams originating from an internal source. For example, a potential internal embezzler would not be able to approve their own fraudulent changes because a different individual would be in charge of approving these changes and receive notification of the revisions—thus preventing the fraudulent changes going into effect.
JAGGAER has added additional safeguards to further enhance security, including workflow approval processes that disable ERP syncing until proper approvals are met, granular permissions, optional secondary approval processes and more.
Learn more about Supplier Management here.