Vendor master file blunders caused a $2.7M loss for a company whose insurer refused to cover most of the loss. At the root of the loss was the company’s inadequate response to a phishing email. A few simple best practices could have prevented the loss. (See Future Electronics Inc. (Distribution) Pte Ltd. c. Chubb Insurance Company of Canada, 2020 QCCS 3042 (CanLII)).
A vendor master file is the software module that stores descriptive and permanent data for a vendor. Vendor master file information includes the vendor’s payee name, address, contact person and coordinates, HST number, and banking information for electronic funds transfers.
Between October 2016 and January 2017, a phisher masquerading as a legitimate vendor duped Future Electronics Inc. (Future) into sending the fraudsters four payments totalling about US$2.7M.
Fraudsters masquerading as the chief financial officer (CFO) of Exar, a bona fide vendor, first emailed an accounts payable (AP) executive at Future, claiming that Exar was changing its banking details. The fraudsters asked the executive to confirm receipt of the email to receive new banking information. She complied. She had never communicated directly with Exar’s CFO before.
Over the next several months, the fraudsters requested a series of changes to banking and payee information. As was its practice, Future sought formal change request letters, and the fraudsters sent an “official letter” to support each of the requested changes. As was its practice, a senior AP official at Future approved each of the changes. Future effected the changes and exchanged several emails with the fraudsters about remittances, payment confirmations, and other information.
The fraud unravelled when the usual contact person at Exar complained that several of Future’s AP balances were more than 90 days overdue. Future discovered that Exar had not requested the fraudulent changes, had not provided any “official letter”, and Exar’s CFO had not emailed Future. The email address that the fraudsters used was not the correct email address for Exar’s CFO.
Future claimed against its insurance policy. Future’s insurer, Chubb Insurance Company of Canada (Chubb), covered only US$50,000.00 of the loss under a limited Social Engineering Fraud endorsement to the policy. Chubb refused coverage of the remaining loss under more extensive Computer Fraud Insuring Agreement and Funds Transfer Fraud by a Third Party components of the insurance policy.
With a few of the best practices below, Future could have dodged the hoax.
Meeting your duty of care
Verify vendor information at the time of initial vendor master file setup. Thereafter, rigorously vet any change requests before making them.
Future’s request for an “official letter” for each change and approval of the changes by a senior AP official—although best practices—were inadequate and were not executed properly. The best practices below illustrate why:
- Set up authorized vendor-contact information: As part of the initial vendor setup, record the name and contact information for the person responsible for confirming change requests and other vendor communications.
- Be skeptical: Be wary of any request to change banking, payee, or similar information. Assume that all change requests are fraudulent until proven otherwise.
- Respond to red flags: Resolve any anomalies associated with change requests. The first red flag in the case above was the request for a change. Another red flag was the request from the CFO. Fraudsters often masquerade as a senior executive of the victim or originator to add an air of authenticity, importance, and urgency to their request. In the case above, the purported CFO email was anomalous because the CFO had never emailed the AP executive before and was not the executive’s usual contact person at Exar.
- Pick up the phone: Confirm change requests by phone. Had Future’s AP executive picked up the phone and called her usual contact at Exar, she might have immediately discovered the deception. Ironically, the AP executive had been communicating with her usual contact on matters other than the fraudulent banking changes and payments.
- Do not use the contact information in the change request: Never use the contact email, address, or phone number provided in a change request without verifying it. Never reply to the email received. Instead, determine the email address from a reliable, independent source. For instance, type in the desired email address recorded in the vendor master file or your email address book, or have someone at the vendor provide a legitimate email address. In the case above, the fraudsters did not use the CFO’s correct email address. Had Future ascertained and used the CFO’s valid email address, it may have detected the fraud sooner.
- But beware of the hacked recipient account: Fraudsters sometimes hack and gain access to legitimate email accounts and surreptitiously respond to authentication requests. For this reason, phone validation is often better than email validation or email-only validation.
- Request authentication information: Ask for information to corroborate the authenticity of the change request. For instance, ask about the last transaction with the vendor, a specific vendor transaction, the vendor’s current banking information, and other corroborative details.
- Vendor portals: Some software systems include a vendor portal, allowing vendors to update their payment and other vendor information. The portal eliminates the need for the payor to validate changes.
- Manage risks with insurance policies: Understand the scope of insurance coverages before you need to rely on them. The court in the case above agreed with Chubb that the computer fraud and funds transfer fraud provisions did not cover Future’s loss, based on the wording of the policy. Instead, Future had only limited coverage under its social engineering endorsement and could only recover US$50,000.00. Failure to understand insurance coverages could result in insufficient risk transference to insurers.
Log in to Finance and Accounting PolicyPro; the next release will include a new policy entitled FN 2.16 – Vendor Master File Controls.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro, and Information Technology PolicyPro here.