Is Your Accounts Payable Team Still Taking Live Phone Calls from Vendors?

The human voice, the oldest and most effective interaction, is being used by phishers to solicit sensitive information via live phone calls.  This social engineering tactic is sometimes called “Vishing” where emotional triggers, a sense of urgency, etc. are used to play on human vulnerabilities.  Combine that with the user, in this case, the AP Customer Service member, being the weakest link in any security system, and a basis for eliminating live phone calls can be made. 

In IOFM’s “Benchmarks: Accounts Payable Customer Service,” November 2013, it was not a question of whether Accounts Payable (AP) teams were talking live phone calls, but how many FTEs, which team members the calls were routed, how many were vendor vs employee, etc.   Fast forward to May 2018, where a question on AP customer service efficiency to IOFM Advisory Panelists met with responses revealing a trend toward eliminating phone calls in favor of vendor portals, CRM tools, email and ticketing systems. 

Now the intent is not meant to degrade support to our vendors and internal customers.  The intent is to provide great customer service using a communication method that protects both the vendor and the company from potential fraud. 

If your AP team is no longer taking calls, great.  Reply in the comments how long ago, and what method is being used to receive inquiries. 

If your AP team is still taking calls, make sure you have techniques in place that can authenticate callers. Recommended:   

  1. Authenticate each external call, vendor and employee, before discussing any vendor invoice or account information. Require that the vendor provide at least two pieces of information that a fraudster would not know, such as an invoice number and a PO number, etc.   For the employee, require that they provide two pieces of information such as their cubicle number or their next level up. 

  2.  Give the AP team members a reference for authentication.  The reference makes it easier for the AP team members to remember what information can be used to authenticate the caller. It is helpful if different combinations of elements can be used to authenticate.  Also, it can increase the potential that the AP team members will comply with the policy.  Don’t forget to include a short script to be used to explain the reason for the authentication and how to end the call when the authentication is not successful.  This reference should be treated as confidential and not be shared with anyone outside of the AP team.  

  3.  Monitor to ensure authentication is being followed by AP Team members.  Listen randomly in supervisory mode if your phone system has that feature.  Or consider recording calls and auditing weekly.  Follow-up with as needed with team members where needed and include in performance reviews if possible.  This is one area where it may be done in the beginning, however, as time passes or during busy times (like month-end or year-end) it is easy to skip to increase productivity.  What is measured improves. 

 Authentication is one of four controls to recommended to combat “Vishing”.  See Putting the AP in hAPpy Podcast Episode 2: Social Engineering: Four Internal Controls to Combat Vishing and Protect the Vendor Master File from Fraud) for a more detailed discussion and the additional controls.

Also, join me in Episode 10 of the Putting the AP in hAPpy Podcast where I interview Jason Widmann, a Director of AP, and how he developed a new tool to reduce both live calls and emails on the highest volume pain point with AP inquiries – fielding questions on the status of invoices.  And since he is from AP, he developed the cloud based software with three key elements in mind to make it easier for AP teams to implement.  Tune in to find out what they are.  The episode will be published on Monday, December 24th on and on iTunes and Google Play. 

#stayhappy #puttingtheapinhappy #Vendorsetup #vendormasterfile #accountspayable


Debra R. Richardson,


Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.

For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.