How SVB amplified the risk of invoice fraud — and what you should do about it

The end of the quarter is never an easy time for any finance team. All of the financial activity of the previous 90 days has to get wrapped up in a nice little package while executives, investors and regulators impatiently wait. At the same time, salespeople are rushing to close deals, marketing teams are rushing to plan budgets, and vendors are trying extremely hard to get paid. 

In this scenario, an accounts payable manager’s inbox is lighting up with requests of all nature. Every request is framed with life-and-death urgency, which means the AP team member’s attention is being subdivided into increasingly smaller cycles.  

So when an email from a vendor comes in with a seemingly routine request to update its banking details so it can please, please get paid before the end of the quarter, the AP manager doesn’t give it a second thought. He allocates one of his few remaining open brain cycles to this request and moves on to the next one. 

Whoops. Your company just got defrauded. 

Fraudsters taking advantage of banking uncertainty  

This invoice scam works because many companies are actually switching banks, for very legitimate reasons. Ever since SVB kicked off the chain reaction of regional banking problems, businesses have been partnering with new institutions. Some businesses are doing it to hedge against risk, while others do it because their banks no longer exist. 

Fraudsters thrive in this sort of chaos. They are taking advantage of the current landscape by impersonating legitimate suppliers, telling Accounts Payable teams that they have changed banks and attempting to submit false banking information. They are also taking advantage of the fact that many businesses have not yet digitized their accounts payable processes — in Stampli’s survey, AP Today: Bottlenecks, Benchmarks, and Best Practices, over 40% of businesses reported that they still process invoices manually. 

If the AP department accepts the request, future payments that are intended for the legitimate supplier will instead be routed to the fraudster’s bank account.  

This ruse is especially effective at the end of the quarter. That’s when AP is overworked and more likely to make mistakes, or to be susceptible to the fraudster’s pressure to make changes without properly checking the information submitted.  

A $100 million dollar AP scam hits Google and Facebook 

Between 2013 and 2015, a Lithuanian man executed a phishing and invoice scheme that caused Google and Facebook more than $100 million in losses.  

According to his 2016 indictment, Evaldas Rimasauskas created a company with the same name as Quanta Computer, a Taiwan-based computer hardware supplier. He opened bank accounts in both Cyprus and Latvia, and then then sent sham invoices and emails regarding payment to both Google and Facebook, directing unsuspecting employees to wire funds to the fake company account that Rimasauskas had control over. 

The lessons: Prevention is key when it comes to invoice fraud. You must educate employees about common scams and pressure tactics. And you must build a rapid reporting process for sharing and validating suspicious requests. 

How the nation’s leading potato grower prevents AP fraud 

AP fraud doesn’t just target tech companies. CSS Farms has dozens of facilities across 10 states, including greenhouses, seed farms, and commercial chip potato farms. This year, the company expects to farm 26,500 acres to produce more than 11 million CWT of potatoes (which is equivalent to more than 1.2 billion pounds). 

As a result of their size and scale, the CSS Farms AP team is processing thousands of invoices a month for nearly as many vendors. According to Vanessa Larimore, Accounts Payable Manager, CSS Farms does see fraudsters attempting to change vendor bank information — but none have been successful.  

“When it comes to banking information, we have a number of policies in place that require double checks or extra validation,” says Larimore. “For example, if we receive a payment-related email from a vendor, we never call the number they give us — instead, we always Google the main number. In addition, we have software-based controls, such as requiring secondary approval to change a vendor’s bank details, which doubles the likelihood that any fraudulent activity will be caught.” 

Larimore also recommends using bank validation software, which she gets from her business bank. This software lets her team quickly verify account owner information and check the risk level of accounts in real time. Certain risk factors, such as accounts that were very recently created, are flagged for extra scrutiny. 

“The best practice is to never take an email at face value,” says Larimore. 

Clear guidance for fraud prevention 

As CEO of Stampli, a leading accounts payable software provider, I have a front seat view of this world. In order to prevent scams, I advise AP departments to follow strict protocols, including: 

• Create a clear process for onboarding a vendor and changing vendor information, with multiple eyes involved and no exceptions allowed 
   
• Ensure a complete segregation of duties (ideally enforced by your AP automation software), so that no one person has the ability to both change banking information and trigger payments 
   
• Always independently verify account change requests through the supplier contact methods already on file, regardless of the contact information provided in the request 
   
• Scrutinize email addresses closely, as scammers often create email addresses that closely mimic real ones 
   
• Ensure that all supplier information is kept up-to-date and accurate, to aid in the verification process when requests for changes are made 

• Educate all employees, but especially those in Accounts Payable, about common scams and pressure tactics, and train them to follow business protocols in such circumstances 
   
• Create a reporting mechanism for sharing and validating suspicious requests 

On a personal note, my advice is simple: Never assume you’re not under threat. Any time money is changing hands, you should assume there are scammers looking for a way to get their hands on it.  

The good news is that with proper protocols and tools, accounts payable teams can stop fraud before it starts.