www.paymentworks.com Open in urlscan Pro
3.222.31.186  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Youtube
 * LinkedIn
 * Mail

 * login
 * get paid

 * Who We Serve
 * What We Do
   * Vendor Risk Management
   * Vendor Verification
   * Vendor Onboarding Software
   * Vendor Fraud
   * Vendor Compliance
   * B2B Electronic Payments
 * Why Trust Us
 * Resources
   * * Case Studies – Real-life examples of how organizations use PaymentWorks
       to improve compliance, reduce workload, and add value.
   * * Stuff to Watch – Library of short and sweet videos featuring product
       demos, customer interviews, and sessions with experts.
   * * Podcasts – The perfect way to geek out on all things vendor management,
       and get tips from our guests, partners, and customers.
   * * Vendor Management Appreciation Day – Dedicated to celebrating the unsung
       heroes of vendor management and up-leveling your strategy.
   * * Events – We go places. We do things. Join us!
 * Blog
 * Partnerships
 * About Us
   * * Why We Built This – Read the story of how PaymentWorks came to be.
   * * Who We Are – Get to know our management team.
   * * Release Radar – Up-to-date product news!
   * * Become a Partner – Join our eco-system!
   * * Work With Us – Interested in solving a real-world problem that affects
       businesses of all sizes?
 * Demo
 * Menu Menu




WHAT YOU NEED TO KNOW ABOUT CEO FRAUD PHISHING AND THE VENDOR DESK

What does company culture have in common with CEO fraud?


BY ASHLEY POYNTER

Content Manager
PaymentWorks


WHAT YOU NEED TO KNOW ABOUT CEO FRAUD PHISHING AND THE VENDOR DESK

CEO fraud phishing is the bane of the vendor desk’s existence. In addition to
being tasked with a ton of manual processes, managing vendor compliance, and
mitigating other risks, your vendor desk is also being asked to step up to the
plate as a fraud prevention professional. 

Aren’t we asking a lot?

I get it – there’s a lot at risk. Someone has to take responsibility and
ownership over fraud attempts against your organization. 

However, when we look at the mechanics of CEO fraud phishing – how it works, the
consequences, and the human cost of mitigating the risk – a lot more becomes
clear. 

Let’s dive in.

--------------------------------------------------------------------------------


TABLE OF CONTENTS

What is CEO Fraud Phishing?

CEO Fraud Phishing aka Business Email Compromise is Rising

What Happens When Fraudsters Win

How to Spot a CEO Fraud Phishing Attack

CEO Fraud Prevention Starts With Culture

There’s No Silver Bullet

How Vendor Management Appreciation Day Can Help

Want Help Aligning Your Teams With Your Vendor Onboarding Checklist?

Interested In Regular Tips to Combat CEO Fraud Phishing?

Want Personalized Guidance to Combat CEO Fraud?

--------------------------------------------------------------------------------


WHAT IS CEO FRAUD PHISHING?

CEO fraud (phishing) is a nefarious attack by a fraudster posing as your CEO.
It’s a type of spear phishing – where bad actors send emails that appear to be
from a trusted source in an attempt to gain access to sensitive or confidential
information. 

In other words, it’s bad news. 

CEO fraud phishing that targets the vendor desk can have dire consequences. In
most cases, this is an attempt by fraudsters to get your vendor desk to transfer
money to a bank account that the fraudsters own. 

It’s in the same category as vendor impersonation fraud and business email
compromise fraud. In other words, it relies on the trust of the target to be
successful. In all these scams, bad actors pretend to be people they’re not to
get access to money and/or data that doesn’t belong to them. 

To see what this looks like in action, listen to Matt McDonald of the City of
Vista talk about a near-miss his team had with a fraudster trying to steal
money: 



There are a few ways CEO fraud can happen, and they can be equally hard to
catch. For example, an attacker might use the name of your top executive, but
the email will come from the wrong email address. In most cases, the email
address will be very similar to the right email address but might end with
“.com” instead of “.gov” or be off by a few letters. This is called name
spoofing. 

Another way bad actors attack is by using both the CEO’s name and the correct
sender email address. The trick is that they use a reply-to address that differs
from the sender’s email. So when you reply, the email goes to the fake address
(the fraudster) rather than to your CEO. 

You can see how either of these scenarios might be problematic.

--------------------------------------------------------------------------------


CEO FRAUD PHISHING AKA BUSINESS EMAIL COMPROMISE IS RISING

CEO fraud aka business email compromise (BEC) aka whale phishing (whaling) is on
the rise. Call it by whatever name you want, just don’t underestimate it. The
FBI calls it the $50 billion scam because that’s the total domestic and
international losses accrued from business email compromise between October 2013
and December 2022 – $50,871,249,501, to be specific.  

Between December 2021 and December 2022, the FBI reports a 17% increase in
identified global exposed losses from BEC. And a recent report from the
Anti-Phishing Working Group (APWG) notes that it logged just under 5 million
attacks in 2022 – making it a record year. The trend report also points out: 

 * Phishing attacks have increased 150% year-over-year since 2019
 * The APWG saw 1,350,037 total phishing attacks in the last quarter of 2022 – a
   6% increase from the previous record quarter
 * On average, a BEC attack attempts to steal $132,559

In other words, now is not the time to let your guard down. The attacks are only
getting worse and there’s a ton at risk.

--------------------------------------------------------------------------------


WHAT HAPPENS WHEN FRAUDSTERS WIN

If the stats above are any indication, successful CEO fraud phishing attempts
mean money goes down the drain. 

But it also means your vendor desk faces the oversized burden of single-handedly
trying to prevent this fraud. And as Jens Brown of Huron Consulting points out,
vendor managers are generally not IT security experts: 



Moreover, the burden of being solely responsible for stopping these kinds of
attacks is putting unnecessary stress on your vendor desk. Trust us, these folks
are losing sleep over the potential consequences if they fail to spot these very
sophisticated CEO fraud phishing attempts. 

Finally, let’s not forget the potential for reputational damage. What happens
when a successful CEO fraud attempt results in you sending money to a fraudster
instead of the actual vendor? What will that vendor think when they email or
call to follow up on the missed payment and you have to explain what happened?
And when word gets around, what will your other vendors think? Your competitors?
Your industry?

To sum up, millions of dollars are potentially at stake. Your reputation is at
stake. And the well-being of your vendor desk is at stake. 

You have a lot to lose.

--------------------------------------------------------------------------------


HOW TO SPOT A CEO FRAUD PHISHING ATTACK

Phishing has been around for a while, so you may feel like you have a grasp on
what these bad emails look like. Here’s the thing: CEO fraud is in a different
class than the phishing scams of old that were sent to thousands of recipients. 

Imagine this: 

The person in charge of vendor management has a busy day. There are 50 new
vendors to onboard, which means collecting vendor data X 50, verifying bank
account info X 50, and running vendor compliance checks X 50. That’s a gross
oversimplification, but let’s go with it for the sake of this example. 

These 50 new vendors are in addition to the hundreds (or potentially thousands)
of other vendors that have payments due, need contact information updated, or
have bank account update requests. 

Let’s add another twist: since vendor onboarding and management is seen largely
as an administrative function at this hypothetical organization, it’s not
uncommon for the higher-ups to bypass preferred or documented workflows just to
“get things done.” That means the vendor desk is used to the CEO and other
executives asking for exceptions to be made. 

In sum: the person steering the vendor desk is under pressure. So when an email
request comes in that appears to be from the CEO asking for a vendor’s banking
details to be updated ASAP, the heat is on. 

It’s easy to talk about “vendor management best practices,” but it’s much harder
to abide by them when you’re racing the clock – and a pile of never-ending,
manual tasks – like the person in this example. 

So the vendor desk does what they can: they check that the email looks
legitimate. The sender’s address and name on it match the CEO’s. They make the
change and check it off their to-do list. 

Except it wasn’t from the CEO. It was from a bad actor with a bank account in
the Cayman Islands who had successfully managed to reroute a legitimate vendor’s
upcoming payment to their own bank account. 

What went wrong? More importantly, how can the vendor desk avoid this bad
outcome?

--------------------------------------------------------------------------------


CEO FRAUD PREVENTION STARTS WITH CULTURE

While we have a list below that you should definitely walk through and consider,
let’s focus on the one thing you can change TODAY if you don’t want this to be
you.

Change your culture.

If your vendor desk manager believes that your CEO or CFO or Controller would
ever ask to break the vendor onboarding process, then, quite simply, you are at
risk for CEO fraud phishing.

That aside, here are a few things to consider when authenticating requests: 

Embrace skepticism – When it comes to bank account update requests or requests
to share sensitive data, always be skeptical. Skepticism should prompt you to
take additional steps to verify the authenticity of the requestor and the
request. 

Note the tone – This one can be tricky. Requests from a CEO are often inherently
urgent, but we encourage you to take note when an email asks you to do something
quickly and without question. These are exactly the types of tactics fraudsters
use to bully people into acting without verifying the authenticity of a request.
Anything urgent should immediately raise your red flag.

Question intent – Fraudsters often rely on the trust of their victims to
perpetrate a scam. If you receive a request from someone who asks that you keep
it confidential, question the intent of the sender. Are they trying to keep you
from confirming the legitimacy of the request?

Watch out for inconsistencies – Sender name and email address are the obvious
ones. But also look out for odd-looking account numbers, bank names, vendor
names, and anything else that might seem slightly off. Remember, all it takes is
one “rn” instead of an “m” to throw you off your game. 

On a more strategic scale (see “change your culture,” above), there are things
you can do as an organization to make sure CEO fraud phishing scams don’t get
the best of your organization: 


DOCUMENT PROCESSES AND WORKFLOWS 

This one is big. When you write down your procedures for supplier onboarding and
change management (grab a template for that here), you can start (or continue)
productive conversations about your vendor management strategy. 


MAKE THE CASE FOR STRATEGIC VENDOR MANAGEMENT

If you’re part of an organization that likes to break the rules, log each time
you’re asked to make an exception (you can use this template) to the vendor
onboarding or management process. Over time, this can help you present a
compelling case to leadership for revamping your vendor management strategy in a
way that bolsters security and fraud prevention. (And maybe shows them that they
are the problem.)


CHART A VENDOR COMPLIANCE PLAN

Build a framework (like this one) that allows you to create, refine, and
fine-tune your vendor compliance processes so everyone can rest a little easier.

--------------------------------------------------------------------------------


THERE’S NO SILVER BULLET

Sadly, there’s no perfect fix for fighting CEO fraud. However, there are steps
you can take to significantly reduce it. Automating your vendor onboarding
process is one way to do this. 

With automation, you transition from error-prone manual processes to automated
workflows that save time, money, and your sanity. 

Automated platforms transition the ownership of vendor information entry to the
vendor – and who better to do it? When vendors are responsible for entering
their own contact and banking details, mistakes can be avoided. And with a
platform that requires secure sign-on, CEO fraud phishing doesn’t stand a
chance.  

Additionally, an automated system can run the various compliance and bank
account checks more quickly and accurately than one or two people who are also
juggling a million other tasks. All vendor information update requests are
completed by the vendor through a secure system. That system then runs the
necessary checks to ensure that compliance mandates are met and banking account
details are verified. 

So while there’s no way to stop CEO fraud phishing attacks from happening, there
are some surefire ways to make sure they don’t happen to you and your
organization.   

--------------------------------------------------------------------------------


HOW VENDOR MANAGEMENT APPRECIATION DAY CAN HELP

CEO fraud is just one of the challenges vendor management folks deal with on a
daily basis. We know it takes a toll. In fact, we’ve dedicated an entire day to
singing your praises: Vendor Management Appreciation Day (VMAD) on December
12th. 

We’re hosting a virtual soiree (actually, we have several events lined up) to
honor and celebrate the tremendously challenging job vendor management
professionals do each and every day. 

We know that vendor management professionals handle a lot of responsibilities –
and we also know it’s one of the most under-recognized roles in any
organization, regardless of the industry. 

If this piques your interest, will you join us to celebrate on December 12th?



VMAD is a brand-new holiday geared toward unifying vendor management
professionals and celebrating innovation in the field.

Learn more here, and grab some free vendor management goodies.

--------------------------------------------------------------------------------


WANT HELP ALIGNING YOUR TEAMS TO FIGHT CEO FRAUD PHISHING?

Our recent blogs are full of actionable guidance.

Five Tips to Prevent Business Payments Fraud

Must-Know B2B Payments Trends For 2023 (With Original Data from PaymentWorks)

B2B Payments Fraud Fraud in Times of Chaos: 2023 Edition

Vendor Management Tips From the Experts Themselves

Vendor Impersonation Fraud: Takeaways and Tips

--------------------------------------------------------------------------------


INTERESTED IN REGULAR TIPS TO COMBAT CEO FRAUD PHISHING?

Subscribe to our blog

--------------------------------------------------------------------------------


WANT PERSONALIZED GUIDANCE TO COMBAT CEO FRAUD?

Contact Us–we’d love to help you






CATEGORIES

 * Blog
 * Events
   * Webinars
 * Interviews
 * Podcasts
 * Press Releases


LATEST RESOURCES FROM PAYMENTWORKS

 * Ivy Tech Community College Fireside Chat: Investing in Vendor Management—the
   Impact and Outcomes
   May 2, 2024
 * How to Automate Vendor Onboarding and Up-Level Payments Strategy
   September 25, 2023
 * City of Vista Fireside Chat: The Key to Successful Change Management
   August 30, 2023


LATEST NEWS FROM PAYMENTWORKS

 * Stop! Do this to Prevent Business Payments Fraud
   September 13, 2024
 * Why a Weak Vendor Identification Process at Onboarding Makes You Vulnerable
   to Fraud
   August 16, 2024
 * Who Are You Doing Business With? A Primer on Supplier Identification
   August 9, 2024
 * How to Achieve Vacation-Ready Vendor Management With the Right Vendor
   Management Policy
   July 19, 2024
 * Fraudsters Love Your Company Culture. Here’s How to Fix It (and Stop Fraud)
   With Vendor Onboarding Best Practices
   July 12, 2024


LET US SHOW YOU HOW WE CAN HELP

We’d love to walk through your process with you and talk about security,
compliance, efficiency and sleeping better at night.

Request a Demo
 * Home
 * Who We Serve
 * What We Do
 * Why Trust Us
 * About Us
 * Blog
 * Resources

 * Demo
 * Get Paid
 * Jobs
 * Partnerships
 * Partner Referral
 * Events



280 Moody Street, Unit #5
Waltham, MA 02453

Get help with registration

info@paymentworks.com


FOLLOW US

 * youtube
 * linkedin
 * tg

© Copyright - PaymentWorks
 * Privacy Policy
 * Terms of Service
 * Transparency in Coverage

Scroll to top