It’s
Monday
morning
at
a
busy
healthcare
provider.
The
accounts
payable
(AP)
team
is
knee-deep
in
invoices
from
medical
supply
vendors,
payroll
approvals,
and
urgent
requests
from
department
heads.
Amid
the
flood
of
emails,
one
message
stands
out:
a
trusted
supplier
is
updating
their
bank
account
details
and
needs
the
change
made
before
the
next
payment
run.
The
request
looks
completely
legitimate
–
the
supplier’s
logo
is
there,
the
email
address
looks
right,
and
the
message
mentions
an
ongoing
order
for
lab
equipment.
Pressed
for
time,
the
AP
specialist
enters
the
new
bank
account
details
and
moves
on.
Two
weeks
later,
the
supplier
calls
asking
why
payments
have
stopped.
Only
then
does
the
team
realize
that
they’ve
been
sending
thousands
of
unrecoverable
dollars
to
a
fraudster.
What
seemed
like
a
simple
“to-do”
has
turned
into
a
crisis
that
could
have
been
avoided
with
stronger
practices
for
verifying
bank
account
change
requests.
Why
phony
bank
account
change
requests
are
harder
to
detect
At
first
glance,
bank
account
change
requests
don’t
seem
like
a
major
risk
–
after
all,
suppliers
update
their
details
all
the
time.
But
fraudsters
have
learned
that
AP
departments,
especially
in
healthcare,
are
often
stretched
thin,
with
limited
bandwidth
to
double-check
updates.
This
makes
bank
account
change
requests
a
prime
attack
vector.
They’re
routine
enough
to
avoid
raising
suspicion,
but
if
successful,
can
reroute
funds
straight
into
a
criminal’s
account.
Fraudsters
are
more
sophisticated
than
ever.
Their
requests:
-
Mimic
real
communications.
Attackers
use
spoofed
email
addresses
or
compromise
legitimate
ones,
making
messages
nearly
indistinguishable
from
actual
supplier
correspondence.
These
fraudulent
emails
often
contain
the
right
logos,
formatting,
and
even
writing
style,
which
can
fool
even
experienced
AP
staff.
As
cybercriminals
refine
their
tactics,
traditional
methods
of
spotting
typos
or
unusual
phrasing
are
no
longer
reliable.
-
Exploit
urgency
and
trust.
Requests
often
come
with
a
tight
deadline
or
reference
senior
executives,
pushing
AP
teams
to
act
quickly
without
scrutiny.
Fraudsters
know
that
healthcare
organizations
prioritize
patient
care
and
supplier
relationships,
so
they
create
pressure
to
make
the
request
feel
legitimate.
This
tactic
plays
on
human
behavior,
creating
an
environment
where
AP
and
finance
staff
feel
they
cannot
delay
or
question
the
change.
-
Leverage
complexity.
With
thousands
of
vendors,
staff
struggle
to
know
every
contact,
making
fraudulent
requests
easier
to
slip
through.
Fraudsters
exploit
this
complexity
by
targeting
suppliers
who
are
less
frequently
engaged,
assuming
staff
won’t
recognize
the
difference.
The
larger
and
more
decentralized
the
organization,
the
higher
the
risk
of
a
fake
request
being
overlooked.
-
Bypass
traditional
checks.
Simple
callbacks
aren’t
enough
when
fraudsters
spoof
phone
numbers
or
impersonate
known
contacts.
In
some
cases,
they
even
gain
access
to
legitimate
email
accounts,
meaning
a
callback
to
the
“usual”
contact
still
ends
up
in
the
fraudster’s
hands.
This
creates
a
false
sense
of
security,
leaving
AP
teams
exposed
to
fraud
risk.
Best
practices
that
make
the
difference
The
good
news
is
that
healthcare
organizations
don’t
have
to
stay
vulnerable.
By
adopting
stronger,
more
consistent
best
practices,
AP
and
finance
leaders
can
make
it
harder
for
fraudsters
to
succeed.
These
aren’t
just
“nice-to-have”
safeguards
–
they’re
key
defenses
in
a
world
where
cybercriminals
are
actively
targeting
healthcare
providers
for
their
high
transaction
volumes.
Here
are
best
practices
that
can
help
safeguard
an
organization
from
phony
account
change
requests:
-
Always
validate
outside
the
request
channel.
Never
trust
emails
or
forms
alone.
Verify
changes
through
a
separate,
trusted
contact
method.
If
a
request
comes
by
email,
use
the
phone
and
call
a
known,
verified
contact
number,
not
the
one
on
the
request.
This
step
can
feel
small
but
it’s
often
the
difference
between
stopping
fraud
and
losing
funds.
-
Use
multi-level
approvals.
Require
a
second
set
of
eyes
for
all
bank
account
changes,
especially
for
large
or
sensitive
suppliers.
Second
reviewers
often
catch
details
the
first
person
overlooked,
especially
when
pressure
or
urgency
is
being
applied.
This
added
control
creates
accountability
and
reduces
the
chance
of
a
single
error
leading
to
major
losses.
-
Maintain
centralized
supplier
records.
Keep
current,
verified
contact
details
in
a
secure
system
so
staff
always
know
the
right
person
to
call.
A
centralized
database
reduces
reliance
on
memory,
sticky
notes,
or
outdated
spreadsheets,
which
are
prime
sources
of
error.
By
keeping
supplier
data
current,
you
make
it
far
harder
for
fraudulent
details
to
sneak
through.
-
Educate
AP
and
finance
staff.
Regular
training
ensures
employees
recognize
red
flags
and
resist
urgency
tactics.
Training
should
include
real-world
examples
of
fraudulent
requests
to
help
staff
develop
instincts
for
spotting
suspicious
behavior.
Empowered
employees
are
more
likely
to
question
unusual
requests
and
escalate
them
for
proper
review.
-
Adopt
automated
bank
account
verification
tools.
Technology
can
remove
human
error
from
the
equation
and
scale
protection
as
an
organization’s
supplier
base
grows.
Automated
tools
cross-check
requests
in
real
time
against
authoritative
data
sources,
offering
a
layer
of
defense
that
manual
processes
cannot
consistently
match.
This
gives
finance
leaders
confidence
that
every
request
has
been
rigorously
verified
before
payments
are
altered.
How
automation
helps
stop
fraud
at
the
source
While
best
practices
build
a
strong
foundation,
automated
bank
account
verification
is
what
takes
fraud
prevention
from
reactive
to
proactive.
Healthcare
AP
and
finance
departments
are
managing
hundreds
or
even
thousands
of
transactions
weekly,
and
it’s
not
realistic
to
expect
human
staff
to
manually
verify
every
bank
account
change
request
with
the
same
rigor.
Automation
adds
speed,
scale,
and
consistency
to
the
process,
ensuring
no
fraudulent
request
slips
through
the
cracks.
Automated
bank
account
verification
provides
a
stronger,
faster,
and
more
reliable
safeguard
by:
-
Instantly
validating
ownership.
Automation
cross-checks
bank
account
details
against
authoritative
data
sources
to
confirm
the
supplier
really
owns
the
account.
This
eliminates
guesswork
and
removes
reliance
on
supplier-provided
documents
that
can
be
easily
falsified.
The
result
is
immediate
clarity
on
whether
the
change
request
is
safe
or
fraudulent.
-
Reducing
AP
and
finance
workload.
Automation
eliminates
the
need
for
manual
callbacks
or
back-and-forth
communication.
Instead,
AP
staff
can
focus
on
higher-value
tasks
like
analysis
and
reporting.
The
time
savings
alone
can
make
automated
bank
account
verification
pay
for
itself
in
weeks.
-
Ensuring
consistency.
Automated
bank
account
verification
applies
the
same
standards
to
every
request,
without
relying
on
individual
judgment
or
memory.
Manual
bank
account
verification
leaves
too
much
room
for
human
error,
particularly
when
staff
are
busy
or
under
pressure.
Automation
enforces
uniformity,
making
sure
no
shortcuts
or
oversights
occur.
-
Creating
an
audit
trail.
Automation
provides
documentation
that
proves
verification
occurred,
essential
for
compliance
and
audits
in
heavily
regulated
healthcare
environments.
This
record
is
invaluable
when
demonstrating
due
diligence
to
regulators
or
auditors.
It
also
helps
protect
your
organization’s
reputation
by
showing
a
strong
commitment
to
security.
A
safer
scenario
with
best
practices
in
place
Contrast
the
earlier
“day
in
the
life”
with
one
where
best
practices
and
automation
are
standard
operating
procedure.
A
phony
request
arrives,
but
this
time
the
system
automatically
flags
the
request
for
verification,
cross-checks
ownership,
and
fails
the
fraudster’s
attempt.
The
AP
team
is
alerted,
funds
remain
safe,
and
the
organization
avoids
a
costly
mistake.
Instead
of
reacting
to
fraud
after
the
fact,
this
healthcare
provider
stays
ahead
of
it
–
safeguarding
its
suppliers,
protecting
its
finances,
and
strengthening
AP’s
role.
Final
thought
Phony
bank
account
change
requests
aren’t
just
another
check
box
on
a
fraud
prevention
list
–
they’re
one
of
the
most
immediate
and
dangerous
threats
facing
healthcare
AP
teams
today. A
single
lapse
can
have
devastating
financial
and
reputational
consequences.
By
combining
staff
vigilance
with
automated
bank
account
ownership
verification,
finance
leaders
can
transform
AP
from
a
vulnerable
target
into
a
strong
first
line
of
defense,
keeping
the
organization
focused
on
patient
care.
Photo:
kentoh,
Getty
Images
Phil
Binkow
is
CEO
of
Financial
Operations
Networks
(FON),
developer
of
VendorInfo,
InvoiceInfo
and
the
Vendor
Information
Management
Center
of
Excellence,
a
leading
suite
of
software-as-a-service
platforms
that
allow
finance
teams
to
onboard,
verify
and
manage
suppliers
with
confidence,
reduce
cost
and
risk
and
strengthen
compliance.
Prior
to
starting
Financial
Operations
Networks,
Phil
founded
and
served
as
CEO
of
PayTECH,
a
leading
electronic
invoice
processing,
disbursements
and
spend
analytics
platform
serving
companies
such
as
Oracle,
Cisco,
the
Gap,
Charles
Schwab,
JP
Morgan
Chase
and
NCR.
Under
Phil
PayTECH
grew
to
process
and
pay
over
100
million
invoices
annually.
In
2002
FON
founded
The
Accounts
Payable
Network
(TAPN),
which
grew
to
become
the
world’s
largest
accounts
payable
training
and
certification
organization.
This
post
appears
through
the MedCity
Influencers
program.
Anyone
can
publish
their
perspective
on
business
and
innovation
in
healthcare
on
MedCity
News
through
MedCity
Influencers. Click
here
to
find
out
how.