In the 1668 La Fontaine fable “The Wolf, the Goat, and the Kid”, a mother goat leaves home in search of food, warning her daughter about the wolf who might try to enter the house in her absence. She tells him to be careful and to only open the door upon hearing a certain watchword. Unfortunately, the wolf, who happened to be passing by, overhears their conversation. As soon as the mother goat leaves, the wolf knocks on the door. Talking his sweetest voice, he bleats out the password to the kid, already imagining what a delicious meal the young goat will make. The kid recognizes her mother’s voice but, skeptical, asks to see her white feet as proof. The wolf, knowing all too well that his big grey paws would instantly betray his true identity, resolves to return to the woods to look for easier prey, while the goat family celebrates their near escape. La Fontaine leaves us with the moral of the story: “Two sureties better are than one / And caution’s worth its cost / Though sometimes seeming lost.”[1]
The moral of this fable is just as relevant today as it was in 1668, especially for employees involved with the maintenance of vendor information. Members of this particular department are especially vulnerable to phishing attacks, and will surely see the resemblance between the wolf and perpetrators of invoice redirection scams. In this type of widespread and prevalent scheme[2], the account payable or management employee receives a request from an existing vendor to update their banking information or address[3]. Thinking that this adjustment is a routine vendor maintenance operation and trusting the email or letter received, they proceed to change it without further verification. Weeks later, the vendor calls, asking why all their invoices are 30 days overdue, and the employee discovers that the vendor’s new bank account or mailing address was redirecting funds into a scammer’s account. Thankfully, all is not lost when a company becomes aware of the situation, as investigations sometimes allow victims to recover some of these payments. For example, a Wisconsin school that fell prey to this scam was able to recover $440,000 out of the $600,000 they had lost with help from the FBI.[4]
In order to avoid this type of scam, it is important to create a standard streamlined vendor management procedure that compares and verifies vendor banking information or address change requests with independent sources. For example, every time a change to a vendor’s critical information is received, the person in charge of completing the update should call an agreed-upon vendor contact to verify that the request is legitimate before editing the data in the system. This procedure should be followed even if the initial email or letter requesting the change appears to come from a known client contact and looks genuine.
In order to get additional information about vendor management best practices or to discover if your business has established the proper procedures to avoid such fraud, feel free to contact our Risk Advisory practice. Our department specializes in identifying the control gaps in organizations through the use of a formal risk assessment methodology and can redesign or update your procedures to minimize existing risks.