Call-back controls are among the most important measures to mitigate your organisation’s exposure to the risk of fraud. Unfortunately, call-back controls can also be a drain on your Accounts Payable (AP) team’s limited resources. Despite the fact that call-backs are time-consuming, the risk of irretrievably transferring funds to a fraudster make call-backs an indispensable security procedure.
In this blog, we will examine why call-back controls are essential, when your AP team should be conducting call-backs and the best-practice procedures they should follow.
Call-backs are an essential security control that help Accounts Payable (AP) departments ensure they are paying invoices to the correct payee. Both fraud and error can occur within an AP team, resulting in incorrect bank account details being entered into an ERP system, Vendor Master File or in the text-based ABA files that are used to upload bulk payments to online banking portals. Prior to processing EFT payments to suppliers, it is necessary to conduct a call-back to verify that the banking details in your systems are accurate. Call-backs help prevent these kinds of problems by verifying whether your information in external sources like banks is accurate before allowing transactions to go through.
Call-back controls are a way for your organisation to verify that the bank account details provided by a supplier are accurate.
Nowadays, most suppliers are paid by Electronic Funds Transfer (EFT) payments. Whilst this can be a very efficient way to pay your invoices, EFT payments carry some significant risks. Chiefly, banks do not match the Account Name with either the BSB or Account Number when you process an EFT payment.
Imagine you need to make a payment to a supplier called XYZ Pty Ltd. Their Account Name for their bank account is predicably XYZ Pty Ltd. No surprises there. However, how can you be certain that the BSB and Account Number in your records are correct?
Many AP teams assume that if the Account Name does not match with either the BSB or Account Number, the payment won’t go through. This assumption is not correct.
When processing an EFT payment, the Account Name field is just a comment field. Irrespective of what is written in the Account Name field, the funds will be sent to the BSB/Account Number entered.
If an incorrect BSB/Account Number is entered, whether due to error or fraud, the funds will be sent to the wrong recipient. The chances of you recovering those funds is very low.
That’s why you need to make sure you are using accurate bank account details when processing EFT payments. That’s where call-back controls come in.
Call-back controls are a way to verify with your suppliers that the bank details you will use to send them EFT payments are accurate.
Typically, when your AP team is onboarding suppliers into your ERP or Vendor Master File, the supplier will provide you with the banking details you need to use to remit payments for goods supplied or services rendered. These are usually provided via email or contained in an invoice.
The problem with this is that sophisticated hackers may breach a supplier’s email account. This can pave the way for them to manipulate the BSB and Account Number. When your AP team makes an EFT payment, the funds end up being sent to a bank account controlled by the fraudster.
This type of scam is known as Vendor Email Compromise (VEC), and instances of VEC attacks are on the rise. That’s why it is essential to conduct call-back verifications whenever you are onboarding a new supplier into your ERP system of Vendor Master File.
Apart from conducting call-backs when you onboard a new supplier, you should also conduct call-backs any time an existing supplier requests that you change or update their banking details in your records.
Organisations change bank account details for a variety of reasons. Sometimes, a supplier will change banks, and their old account will be closed. Sometimes the company will change its legal structure, necessitating a new bank account. Occasionally, the supplier may have experienced a fraud resulting in them changing bank accounts.
All AP teams will need a process to handle suppliers changing or updating their bank account details. Just as when you onboard a new supplier, there are risks associated with updating an existing supplier in your ERP or Vendor Master File. Whenever a supplier emails you requesting a change to their banking details, it is essential that your AP team conduct a call-back verification.
Another concern for AP teams is the rise of the Business Email Compromise (BEC) attack. This is when a hacker gains access to the email account of a senior representative of your organisation, typically the CEO or CFO. In these types of attacks, the fraudster impersonates the CEO or CFO by sending an email from their email account to your AP team, requesting a payment be made, usually in a hurry.
Such requests should never be complied with unless a call-back verification has been undertaken. All too often AP teams will unquestioningly comply with such requests, as they supposedly come from a senior leader within your organisation. However, this would be a mistake. Having clearly defined call-back policies in place will reduce your exposure to BEC attacks.
So, in short, any time you onboard a new supplier, update an existing supplier, or receive any payment request, your AP team should conduct a call-back verification.
The most important rule when implementing call-back controls in your organisation is to NEVER blindly trust the information contained in an email, whether in the body of the email itself, or within an invoice attached to an email.
Email is simply too vulnerable to hackers to be trusted.
Call-back controls are all about verifying the accuracy of information that you have received via email. By calling the individual and verifying that the payment details are correct, your AP team is plugging the verification gap that exists as a result of the banks not matching the Account Name to the BSB or Account Number.
However, just as bank account details can be manipulated in emails, so too can contact details. That’s why one of the most important security measures requires your AP team to independently source the telephone numbers they use when conducting call-backs.
Never trust the telephone number in an email. Fraudsters are increasingly sophisticated and will design fake invoices to look identical to the real deal. The same is true of email signatures. However, they are known to enter their own telephone numbers. When unsuspecting AP staff call the telephone number in the email to verify the payment details, they are in fact speaking with the fraudster, rather than with the legitimate payee.
So, the most important thing to remember when conducting call-backs is to independently source the contact telephone number from the supplier’s official website. Your AP team should never click on any links to the website from an email or invoice. They should open a new browser and manually type in the payee’s website. They should then call the organisation’s switchboard using the official telephone number listed on the website and ask to be put through to the relevant individual in the Accounts Receivable team.
Another critically important point is to NEVER trust incoming calls. If you receive a call from a supplier asking you to update their bank account details, you should advise the caller that you will return their call. Once again, go to the organisation’s official website, call their switchboard using the telephone number listed on the website, and ask to be put through to the relevant individual. Fraudsters regularly try to deceive AP teams by calling them.
Whilst many organisations have implemented call-back controls, they rarely conduct them according to industry best-practices.
All too often, AP teams cut corners when it comes to undertaking call-backs because they are time-consuming and manual. For any busy AP team, conducting call-backs eats up their valuable time that they should be dedicating to other pressing priorities.
Some of the challenges associated with AP teams conducting call-backs include:
AP teams must never trust the telephone details contained in emails or invoices. Your AP team should always independently source a payee’s telephone number from their organisation’s official website.
Fraudsters are known to place calls to AP teams in an attempt to deceive them into transferring funds to a bank account under their control. It is essential that AP teams never blindly trust information they receive from inbound calls or voice messages.
AP teams must ensure they are asking the right questions when verifying banking details. Some organisations require a supplier that is seeking to update their banking details to not only confirm their new account information, but also the old bank account details and details of previous EFT payments. This helps ensure that your AP team member is speaking to the actual supplier and not an imposter.
With fraudsters adopting new tactics on a regular basis, it can be challenging for AP teams to identify fraudulent activities. This requires ongoing training, starting with being able to identify the key indications of fake emails. Being on the lookout for a fake email domain, poor spelling and grammar, or urgent language are all indicators that something is wrong and further investigation is required. Another concern is the emergence of DeepFakes whereby a fraudster uses the latest technologies to synthetically mimic the voice of an individual, usually the CEO or CFO. These can be very challenging for AP staff to identify.
As mentioned previously, it is essential that you implement call-back controls every time you onboard a new supplier or update an existing supplier.
However, as many organisations will realise, best-practice AP processes require Continuous Controls Monitoring (CCM). This means that you should have processes in place to verify supplier information on an ongoing basis. This is particularly true if a significant amount of time has lapsed between when a supplier was onboarded and when your AP team is processing an EFT payment.
Many organisations have hundreds, if not thousands, of suppliers in their ERP or Vendor Master File. Many of those suppliers may have been onboarded months or years earlier. During that time period, hackers may have maliciously breached your systems and manipulated banking details. Alternatively, financially-motivated staff may have fraudulently altered banking details.
That’s why you should not assume that all details are correct at the time of payment, even though you verified that the details were correct at the time of onboarding.
However, implementing call-back controls right at the time when your AP team are processing EFT payments within your online banking portal is logistically impossible.
That’s where a system like eftsure can help. eftsure is a system that sits on top of your ERP or online banking portal and allows you to verify a supplier’s banking details in real-time as you are about to process an EFT payment. This ensures that the banking details you are using align with the details used by other organisations when transferring funds to the same supplier.
Using technology in this way gives you a level of assurance that manual call-back controls cannot achieve.
To learn more about industry best-practice when it comes to managing your AP function, read out 8-Step Procure-to-Pay Guide.
Faster payments are part of our every day – but cybercriminals are exploiting the system. Discover how you can reduce the risks in your business.
Tired of yet another unwanted message in your inbox? Here’s how to reduce spam emails and text messages.
Find out what biometric verification is and why it’s important – especially in a new AI-powered era.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
