Collecting Vendor Data Securely: Alternatives to Risky Email

February 3, 2026

Share

The article Are Your Internal Team Members Collecting Your Required Vendor Documents?  It’s Risky” discusses the risks associated with collecting sensitive vendor information from internal team members and via risky email which can lead to payment fraud.  With the latest IRS draft version of the W-9 expected to be published with a requirement to collect certain vendor’s social security numbers, it’s a great time to implement alternative methods to collect vendor sensitive data securely.   

What Vendor Sensitive Data Is Collected Via Email?

For vendor adds and changes, sensitive data is collected to verify that the vendors are real, that their information matches regulatory sources and that their payments will be successful. This data can include the vendor’s birth date, social security number, individual tax identification number and banking details. 

For many teams collecting this information and other information required for vendor adds and changes, the method of collecting is unsecured email where it is not possible to verify the sender of the email.  Fraudsters know and take advantage of this.  As a result, they try to get access to actual vendor email inboxes to intercept this information and use it to commit identify theft or to appear legitimate for subsequent fraud attempts. 

Avoiding the collection of the sensitive data via risky email reduces the potential for fraud, and also reduces the burden from vendor team members for being responsible for detecting all fraud attempts despite advanced tools and techniques that make fraudulent emails appear legitimate. 

Alternative Methods To Email

The list below is not intended to be an exhaustive inventory of alternatives to email, nor does it replace the due diligence required to determine the best fit for your organization. Instead, it provides a high-level overview of some options that can then be used for further research to have a more detailed discussion with leadership and your IT and/or systems team, since controls, security, audit features and quality vary by systems and tools. 

Method / Option

How It’s Used

Strengths

Limitations

Vendor Self-Registration Portal

Vendor Logs info a Portal to Enter Data and Upload Documents

Login, Authentication,  Data Validations; Workflow Approvals; Audit Trail

Requires Rollout/Change Management; Not All Vendors Will Adopt; Requires IT

Secure File Upload  

(e.g., SharePoint)

Link to Upload-Only Controlled Folder

Restricted Access; Audit and Retention Controls Possible

Requires Lock Down of Internal Access and Retention

Secure Web Form

(e.g. Microsoft Forms or More Robust Platforms)

Link to Enter Data and Uploads Forms into a Secure Form

Structured Fields, Access Control, Audit Trail; Possible Case/Ticketing System

Must Add Vendor Verification (OTP/Login)

AP Automation Platform w/Document Upload

(e.g. e-Invoicing Or Document Management Portal)

Existing Vendor Submit Onboarding Documents the Same Way they Upload Invoices

Centralized Vendor Interaction; Workflow Approvals; Messaging May be Available

Must Restrict Non-Vendor Team Members Access to Vendor Documents

Secure File Transfer (SFTP) Protocol

Link to Upload Forms

Strong Protocol; Per Vendor Credentials; Logging

Less User-Friendly; Requires IT, Needs Identity Governance

eSignature Platform

(e.g. Docusign)

Link to Sign Package and Upload Documents

Tamper-Evident Audit Trail; Signer Authentication Options; Controlled Package and Workflows

Not Best For On-Going Uploads

Secure Email

(e.g. Mimecast)

Vendor Logs In to Reply to Email and Upload Documents

Vendor Team Selects Specific Email to Send Secure Email; Ability to Use Embedded Fields to Eliminate Forms

Still Email-Based

Lights On with solid fillSecure Email Experience Highlights:  The secure email platform allowed the use of embedded fields within the body of the email.  Embedded fields were added to collect banking information eliminating the need for a separate vendor banking form.  This may not be an option if your organization requires a signature on the form.  Embedded fields were also used to collect personal information from those that require payments, but that did not require an IRS Form W-9, such as job candidates whose expenses were reimbursed.  Secured email providers may have additional features that can eliminate the need for forms to resolve other pain points in the vendor process.

Conclusion

Relying on email for collecting sensitive vendor information exposes organizations to significant risks, including vendor identity theft and payment fraud. As regulatory requirements evolve, particularly with the anticipated changes to the requirements of the IRS W-9 form, it’s a great time to look at more secure methods to collect vendor sensitive information.  While no single solution fits all organizations, exploring and implementing more secure options not only enhances data protection, but also reduces the burden of fraud detection on vendor team members.

Resources

  1. Draft IRS Form W-9:  IRS Draft Forms Page
  2. IOFM Article:  “Are Your Internal Team Members Collecting Your Required Vendor Documents?  It’s Risky”

Subscribe to our Monthly Insider

You may unsubscribe from our mailing list at any time. Diversified Communications | 121 Free Street, Portland, ME 04101 | +1 207-842-5500