The cost of this fraud? 3% of the company’s turnover. This could have been prevented by detecting fraudulent IBAN changes before payments are issued.
How Does Supplier Fraud Happen?
Supplier fraud relies on a specific mechanism. It needs a hacker, aided by an internal accomplice,
who provides them with information about the processes, steals the identity of an acquired
company and has its bank details changed in the victim’s accounting system. Payments are then
issued to the correct apparent supplier, but to the fraudster’s accounts. The flaw is not in the
payment itself, but in the modification of the IBAN that preceded it.
How an IBAN Change Created a Silent Profit Drain
This company was going through an ERP change. As part of this transition, there was a need to
rationalise the vendor master data. The Group therefore decided it would be a good idea to launch a
mass circularisation of all suppliers to reconfirm their banking details.
However, someone within the company was fully aware of this process and knew that one of the
major suppliers would be contacted. This person passed the information to an accomplice, who was
more than happy to take advantage of the situation.
An individual impersonated a legitimate supplier and, by pretending to be them, succeeded in
obtaining a change of banking details, naturally for their own benefit. Meanwhile, the real supplier
continued sending its invoices as usual. The victim company kept paying those invoices, but the
funds were being sent to the fraudsters, not to the actual supplier.
Key Warning Signs of Supplier Bank Detail Manipulation
The issue was detected fairly quickly, as the real supplier kept requesting payment. However,
recovering the diverted funds proved to be much more difficult. The key warning signs in this case
were clear: a request to change banking details, the absence of proper IBAN verification, and more
generally, a lack of internal controls around vendor data management, even though such controls
are becoming increasingly common today.
What can organisations do to prevent this type of fraud?
It’s always difficult for organisations to control the pressure an employee is under. This is the
hardest part of the fraud triangle to impact, as pressure may come from outside. Opportunity and
rationalisation are another matter. Supplier fraud relies on the lack of automation, coupled with ad
hoc human validation. The opportunity shows itself and the rationalisation follows.
Two Ways to Prevent Supplier Fraud
- Automate the manual update process
In most organisations, updating a supplier's bank details remains a manual, informal process, often handled by email and without systematic double-checking. It is precisely this vulnerability that fraud exploits. To avoid creating an opportunity for fraud here, organisations must remove the reliance on manual validation and checks and replace them with automated controls. That way, any violation of the segregation of duties, any changes made by unusual users or at suspicious times/days are identified.
- Make late discovery impossible
In this case, the fraud was only discovered late. Many frauds run for months before being
discovered, and this one was only revealed after several payments had been issued to the wrong
accounts. The damage accumulated because of the lack of systematic reconciliation between the
registered bank details and the payments issued. What the organisation needed was permanent
monitoring that could not be circumvented. The comprehensive audit trail would also make internal
complicity much riskier for the accomplice, reducing opportunity for the fraud.
How to Detect and Deter Supplier Fraud
- Detection of payments to unusual or recently changed IBANs
Flag priority anomalies. Organisations need pre-configured controls that include checks on payments
issued to recently changed bank accounts. A payment to an IBAN that differs from the supplier's
known history, or that has been changed in the days leading up to the settlement, is automatically
flagged as a priority anomaly. This was exactly the pattern used in this fraud. - Score on consistency between an IBAN and the third party concerned
Show up risky third-parties. New technologies can issue alerts on potentially problematic third-party
IBAN pairs. This draws attention to the issue, especially when combined with other analyses which
strengthen the set of indicators and the score it generates for each entry. - Deterrence
A lack of control leads to a feeling of impunity. Any action taken by a fraudster is fuelled by the feeling that they won’t be caught. Technology can significantly reduce this feeling of impunity by making fraud detectable, and therefore a dangerous development for the potential fraudster. Even with outside pressure on an employee, it can reduce the opportunity and rationalisation for fraud.
The best way to combat fraud is not only to detect it, but to deter it.
