What is Vendor Impersonation Fraud (VIF)?
In instances of VIF, fraudsters impersonate a legitimate vendor, supplier or contractor and contact a business, requesting to change payment account information. Although in many cases, contact is made via email, other forms of contact are used, such as a telephone call, fax, or even a letter. When an invoice is received, payment is sent directly to the fraudster, resulting in a financial loss.
Fraudsters may create spoofed email addresses that are similar to the actual email address or even hijack a legitimate email address. To an employee not familiar with VIF, these may be difficult to spot.
Sample of actual email received by customer
Best Practices to Combat VIF
Every business entity should evaluate its internal processes and controls. Solid internal controls are key to guarding against these scams. Please consider the following practices:
- Beware of unsolicited correspondence indicating that “we’ve changed banks”.
- Carefully check the email domain (the portion between @ and .com) for signs that the email is spoofed.
- Never change any vendor payment information based solely on an email request.
- Educate and train employees to recognize, question, and authenticate any changes in payment instructions – using known contact information.
- Initiate payments using dual control — for example, require two people to approve payment changes. Additionally, validate and document the request using the phone number and contact of the vendor that you have on file.
Sample of actual letter received by customer