Tech Scam: On Friday, December 14, 2018 the Federal Trade Commission published an article “Cybersecurity for small business: Tech support scams”. Scammers are calling and pretending to be from a well-known computer company with confusing tech talk – all to convince the employee that it’s an urgent situation. What they are really trying to do is get remote access to steal sensitive data or trick your employee to signing up for “maintenance” or “warranty” work with a business credit card.
Validation is the 2nd step in my AUTHENTICATION. VALIDATION.MANAGEMENT. process to protect the Vendor Master File from Fraud. The first Step is Authentication where the vendor data source or delivery method is confirmed. Validation is the 2nd step that confirms the vendor data is accurate before it Is entered into the vendor master file, and the third step Management, which is proactive revalidation or inactivation of existing vendor data in the vendor master file. This complete process reduces the potential for fraud in the vendor master file and also keeps it clean.
Validation is an important step. This step verifies that new vendors are real and that changes to existing vendor data is coming from the vendor. In order for this to be done you need to know what you can validate and where. In my blog post “7 Validations Using the Data from the IRS W-9 Form”, I listed 7 recommended validations for the legal name and tax id and also for the address. Here are my validation recommendations for the Invoice, Banking Form/Bank Letterhead for bank details, Contract or SOW and vendor email.
Legal Name – The W-9 may not have listed the disregarded entity or DBA, but the invoice will have the DBA. The invoice name needs to match the vendor record
Remit Address – could be different than W-9 Address. Verify with USPS or Universal Postal Union for Non-US to Non-US mail
Banking – Usually only International vendors include banking on their invoices, but can be used to
VAT# - Value Added Tax (VAT) is an International Country level sales tax that your company’s tax team may need to use to reclaim VAT that is added to invoices paid. Verify against (VAT) Number against VAT Information Exchange System (VIES)
Remit email address – add to vendor record to send remittance information to reduce inquiries to AP for how to apply payments.
Contact name/email address – confirmations – check out my blog post on “Send a Notification to Vendors After Updates in the Vendor Master File” for why collecting this information is key to reducing fraud in the vendor master file.
Banking Form/Bank Letterhead
Banking Routing #/ABA – Verify that this number whether it is for ACH or Wire – since they can be different. Verify with the Federal Reserve.
Vendor International Business Identifier Code (BIC) or Society for Worldwide Interbank Financial Telecommunication Code (SWIFT) - Otherwise known as BIC and SWIFT codes – Non-US Countries that do not require an IBAN will have a BIC Code or SWIFT code along with a bank account number.
IBAN – Can verify the format with Google, however, my recommendation is to verify directly with the vendor’s bank. Google search’s can return invalid sites. If you have one you trust, continue to use, but have the vendor’s bank as an alternative. The IBAN is required for all bank accounts in the EU countries plus Norway, Switzerland, Liechtenstein and Hungary. The IBAN is made up of a code that identifies the country the account belongs to, the account holder's bank and the account number itself.
There are also some paid subscription services out there like Accuity that offer validation for Banking Routing#’s/IBAN’s/SWIFT & BIC Codes
This last one is a paid service too. To verify the Bank Account Name and Bank Account Number matches for US accounts using Early Warning System. If you bank is participating bank or inquire directly with the Early Warning System. If not, you can use a reseller like Giact.com.
Legal Name and Tax ID
Contract # and Start/End Date
Remit Email address
Contact Name/Email Address
Authentication to verify that the information was received from a valid email and not from a phisher
Validate the domain name
Contact Name/Email Address
Items to look for within the email to ensure it is not fraudulent
Email domain to Signature
Link matches destination noted in email
Grammatical errors (becoming less common)
Want more? Listen to the podcast for seven (7) validations using the IRS Form W-9!
What did I miss? Comment below.
Debra R Richardson
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.