The Wolf, the Goat and the Kid: An Unexpected Tale of Invoice Redirection Fraud

In the 1668 La Fontaine fable "The Wolf, the Goat, and the Kid", a mother goat leaves home in search of food, warning her daughter about the wolf who might try to enter the house in her absence. She tells him to be careful and to only open the door upon hearing a certain watchword. Unfortunately, the wolf, who happened to be passing by, overhears their conversation. As soon as the mother goat leaves, the wolf knocks on the door. Talking his sweetest voice, he bleats out the password to the kid, already imagining what a delicious meal the young goat will make. The kid recognizes her mother’s voice but, skeptical, asks to see her white feet as proof. The wolf, knowing all too well that his big grey paws would instantly betray his true identity, resolves to return to the woods to look for easier prey, while the goat family celebrates their near escape. La Fontaine leaves us with the moral of the story: "Two sureties better are than one / And caution's worth its cost / Though sometimes seeming lost."[1]

The moral of this fable is just as relevant today as it was in 1668, especially for employees involved with the maintenance of vendor information. Members of this particular department are especially vulnerable to phishing attacks, and will surely see the resemblance between the wolf and perpetrators of invoice redirection scams. In this type of widespread and prevalent scheme[2], the account payable or management employee receives a request from an existing vendor to update their banking information or address[3]. Thinking that this adjustment is a routine vendor maintenance operation and trusting the email or letter received, they proceed to change it without further verification. Weeks later, the vendor calls, asking why all their invoices are 30 days overdue, and the employee discovers that the vendor's new bank account or mailing address was redirecting funds into a scammer’s account. Thankfully, all is not lost when a company becomes aware of the situation, as investigations sometimes allow victims to recover some of these payments. For example, a Wisconsin school that fell prey to this scam was able to recover $440,000 out of the $600,000 they had lost with help from the FBI.[4]

In order to avoid this type of scam, it is important to create a standard streamlined vendor management procedure that compares and verifies vendor banking information or address change requests with independent sources. For example, every time a change to a vendor’s critical information is received, the person in charge of completing the update should call an agreed-upon vendor contact to verify that the request is legitimate before editing the data in the system. This procedure should be followed even if the initial email or letter requesting the change appears to come from a known client contact and looks genuine.

In order to get additional information about vendor management best practices or to discover if your business has established the proper procedures to avoid such fraud, feel free to contact our Risk Advisory practice. Our department specializes in identifying the control gaps in organizations through the use of a formal risk assessment methodology and can redesign or update your procedures to minimize existing risks.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

SOC 2 Examinations - Keys to Success
The Wolf, the Goat and the Kid: An Unexpected Tale of Invoice Redirection Fraud
The Wolf, the Goat and the Kid: An Unexpected Tale of Invoice Redirection Fraud
Manufacturers are Targets for Cybercriminals - How to Thwart an Attack
The Privacy of Consumer Banking Data and the Financial Data Exchange

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102