W-9 Collection: Five Bad Habits Putting Your Vendor Data at Risk

In this episode, Debra Richardson joins host Grace Berube to discuss the year-round importance of W-9 collection and what a new IRS draft form could mean for AP teams. The key change in the draft: sole proprietors, who previously could supply either a Social Security Number or an EIN, would now be required to provide only an SSN — potentially triggering a mass recollection effort from existing vendors. With sensitive data like SSNs on the line, Debra walks through five common but risky habits AP teams fall into when collecting W-9s, from using unsecured email to routing documents through internal team members, and explains why each one creates real exposure to fraud and data breaches.

What you'll learn in this episode

• When and why you need to collect a new W-9
• The key difference in the draft W-9: Why the IRS's new SSN requirement for sole proprietors is a bigger deal than a typical form revision
• Why collecting W-9s over standard email is risky — including identity spoofing, misdirected messages, and more
• How a mass email outreach can go badly wrong — specifically, the CC vs. BCC mistake
• Why routing vendor documents through internal team members is a security risk and what to do instead

Debra Richardson
Accounts Payable Consultant | Speaker | Trainer – Debra R. Richardson, LLC

Debra is an Accounts Payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors, and Aramark.

For over a decade, Debra has focused on Global Vendor Maintenance.  As an Senior AP Manager at a Global 15 company she lead a team of 17 that over 2,000 vendor requests per month and maintained 140k+ global vendors across seven ERPs. In her consultancy, she focuses on working with vendor teams to add authentication techniques, internal controls best practices and vendor validations to reduce the potential for fraud, compliance fines and bad vendor data in the vendor master file.  She is the President of the Central Atlantic Region IOFM Chapter and the IOFM Ask the Expert for the Vendor Master File Category.  

A Certified Fraud Examiner (CFE), Debra works with vendor management teams to clean their vendor data and update their vendor processes so they pay the right vendor.

She has a YouTube channel where she posts vendor master file tips every Tuesday and hosts a weekly podcast: “Putting the AP in hAPpy”. 

Grace Berube
Senior Content Manager, IOFM

Grace is the Senior Content Manager at the Institute of Finance & Management (IOFM), where she has led content strategy and development since 2022. In this role, she oversees all aspects of IOFM’s digital and event-based content, ensuring it remains timely, relevant, and actionable for all financial operations professionals.

Grace manages IOFM’s robust library of site content, leads the organization’s editorial and member webinar programming, and hosts IOFM’s podcast series. She also oversees a team of subject matter experts who contribute thought leadership and educational articles. In additional, Grace curates and manages all speaker content for IOFM’s in-person and virtual events, ensuring consistency and quality across every touchpoint. With nearly three years in the role, Grace brings a deep understanding of the financial operations landscape and a passion for delivering content that empowers professionals to excel in their roles.

Transcription

Grace Berube: Welcome to the IOFM podcast. This is a podcast for accounts payable and accounts receivable professionals who want to stay in the know with current AP and AR trends and ideas. We’ll be interviewing professionals in this space on a wide variety of subjects, including automation, artificial intelligence, career growth, compliance, leadership, and much more.

Hey there, Debra. How's it going? 

Debra Richardson: It's going just fine. We're recording this January, when I know folks may be busy generating those 1099s.

00:00:44

Grace Berube: Oh, yeah, we're definitely in the height of the busy season. This is also probably the first episode of season one of the new IOFM podcast, so had to have you on. Thank you so much for joining us. Yeah, we're talking about a very important topic that's relevant for the season that we're currently in, but also really relevant year-round. We were chatting a little bit ahead of this recording.

Debra Richardson: Yeah, so collection of the W-9 is a year-round activity, especially when you talk about related to the 1099s and generating those, because you have to have accurate information, that legal name, tax ID. You need to have both and they need to match IRS records, and so the collection of those for U.S. vendors is very critical year-round so that your 1099 process can go smoother.

00:01:45

And what's funny is during this process, Grace, everyone figures out where their gaps are because they'll notice that some [unintelligible] are missing, tax IDs are missing. It's like, what the heck? 

Grace Berube: I feel like that happens to a lot of people. We also chatted before this call. We're talking today about bad habits that can happen during this collection process. You said it's probably happened to you in the past, so if it's happened to you, I'm sure that it's happened to a lot of the people who are listening to the episode today, as well.

00:02:20

Debra Richardson: Yeah. And so we want to first kind of talk about why they may have to collect the W-9, especially related to the—as of this podcast publishing, the draft W-9 that hasn't been published yet, but why you might have to collect it, and then we'll talk about some bad habits when you are collecting them. Sometimes they can't always be helped because AP doesn't always get the tools that they need. So I just wanted to point out some that you need to make sure you're not doing—not [that this has] happened to me. [chuckles] No comment.

Grace Berube: Right, no comment on that. No, we're very excited to get into it. So, yeah, let's start with why you might have to be collecting those W-9s, especially related to the new information that's been passed.

00:03:17

Debra Richardson: Yes. And so, first of all, it's new vendor setup. Most folks are collecting it at the time you're setting up vendors. Every now and again, though, I'll meet some vendor management or accounts payable team members or departments that are really not collecting it. But, for the most part, everybody's collecting the W-9 for new vendor setup, and that's great because that's how you get the tax ID, that's how you get their legal name, and then, of course, you do need to make sure that you're validating that the tax ID and legal name combination matches IRS records.

00:03:57

So, yes, you would collect that at new vendor setup. We do that validation. Another time you may need to collect it is with an existing vendor change. You may not think about collecting a W-9 at that point, especially if they're not changing their tax ID or their legal name that they have notified you about. But a lot of times vendor banking, like if they have a legitimate bank change, sometimes that bank change was triggered by the fact that they changed their tax ID or they were acquired and now they have a new legal name and tax ID. So they may not know that you need to have that information, too. They just want to make sure their payments are going to get to the new bank account. 

00:04:50

So it could be—I do recommend that you collect it at any existing vendor change or for any change to an existing vendor. So those are two times that, again, year-round those are great to make sure that when you get to 1099 processing, you don't have any issues with bad data. So that's good. 

And then the third one is the one, Grace, you talked about, broached on, which we talked about earlier, the draft IRS Form W-9. The IRS published this draft form on September 17, 2025. And as of right before our recording this podcast, it is still in draft status, which means if you search or go on the IRS website, you look up the W-9, it still has the revision of March 2024, which is the current version of the W-9. 

00:06:06

The last time they updated or published a new version of it, it was quite a while for it to come out, because I think draft version was—originally, the first draft version was published or was issued July 26, 203, and we didn't get the final version until March of 2024. So that was a long time coming. Hopefully they'll do the same thing with this one because who wants the headache of a new W-9 coming out during tax reporting season? 

Grace Berube: The worst possible time.

Debra Richardson: I know. I don't even know why they would do that. It freaked a lot of folks out because it's like, oh, do we have to deal with that, too, during January? Luckily, it hasn't been published yet, so there you go.

Grace Berube: That's good.

00:07:00

Debra Richardson: Yeah, but this one is a little different because this one—well, let's just back up. Normally, with a new version of the W-9, when it's published, unlike the W-8 where the IRS gives you a six-month grace period, they don't do that with the W-9. It is immediately like into play. The next W-9 you collect needs to be that newest version. But I've always said, unless you know there is something that has changed with a vendor, you don't need to go back and collect that new version of the W-9 from all of your existing vendors. And so that's okay. Just collect it going forward, even though you're going to get some frustration, some pushback, because no one wants to go back and redo something that they already have, especially if their information hasn't changed. But all in all, it's not as bad because you don't have to collect it from existing vendors.

00:08:11

This one, however, is a little different. You may determine that you have to collect it from existing vendors because the difference with this one that affects the vendor team, and it may also affect your tax year 2026 reporting, is that the IRS is now requiring a Social Security Number where they used to accept either the Social Security Number or the EIN for sole proprietors. That's the biggest difference. 

And can I just say, Grace, that they could've actually did this on the last one. I don't know why they waited. It was like an easy language change. There's a little box that says, if you are this, then give the Social Security Number of this person or entity, or EIN of this entity. 

00:09:20

When it comes to that first tax class that is individual/sole proprietor—both an individual and sole proprietor. A sole proprietor is just an individual that has an unincorporated business. They could both have a Social Security Number and an EIN, but the IRS has always said that an individual is supposed to give you an EIN. But with the sole proprietor, they gave them the choice. They said that a sole proprietor could give either a Social Security Number or an EIN, but they preferred the Social Security Number. 

00:10:01

In this new language, they say that a sole proprietor must give their Social Security Number. That's the difference. If you look at the W-9 Form from March 2024, that language—because it's a little footnote in that grid that they have. And then that same footnote with the draft version January 2026, that's the difference. There's a sentence on the existing one that says you can give the Social Security Number or EIN, but the IRS prefers the SSN. And then in the draft version it says they must provide a Social Security Number. 

00:10:54

But again, it's one little line change that they could've put on the last one because every time they change things, again we go through friction trying to collect the new ones. And we got a little spoiled because before the March 2024 version, the latest version was October 2018. So we had a lot of time where we didn't have to worry about it. There have been other changes that were within a year or two or something, but we had a great six-year run, so there you go. 

The thing about this one, where with the prior ones you don't worry about collecting a new version of the W-9 when it's published from your existing vendors. The difference with this one is that because you now know that for folks that are vendors that are in that first tax class of individual/sole proprietor, that you need to collect a Social Security Number, whereas, in the past, they may have provided you (as was the instruction) instead of the Social Security Number, the EIN, their employer identification number. You now know that you need to collect the Social Security Number, so do you go back then and look at all of the vendors in your vendor master file that are in that first tax class that gave you an EIN, and then go back to them now because the requirements have changed, and now collect that Social Security Number? 

00:12:38

That might be something that you may need to discuss. What we hope is that the IRS, when they publish it—if they ever publish it. They probably will, but when they do that they provide clear instructions. 

Grace Berube: Sure.

Debra Richardson: So the IRS doesn't always provide clear instructions, and so sometimes it's kind of based on the interpretation. So I would say, when that W-9 is published, if it's published, to make sure that you have that conversation with your leadership, with your tax professionals, to make sure that you're doing what's right for your company. But I will say that if you do determine that, yes, you need to collect it—I'm sure most folks will—then you need to make sure that you're not collecting it in a way that puts your vendor's sensitive data at risk, either because of the new W-9 coming out, or just in general with new vendor setup and existing vendor change.

00:13:43

And so I've seen these five bad habits that we're going to talk about in the collection process that absolutely put your vendors' sensitive data at risk, especially when you have to mass collect, which when this W-9 comes out, if it comes out as-is, that triggers like a mass collection. There are just some things the teams want to make sure they avoid doing so that, again, they don't put their vendors' sensitive data at risk. Because at this point, if that happens, especially with the mass collection, you are definitely collecting Social Security Number, which is definitely sensitive personal information. 

00:14:27

Grace Berube: Right, absolutely. So what are those five bad habits? Take us through the first one.

Debra Richardson: Okay. And again, I just want to preface this by saying, these may or may not have happened to me.

Grace Berube: Right. Please the Fifth.

Debra Richardson: All right, so the first one is something we're probably all familiar with and just couldn't help because you don't have any other tools, but it is collection via unsecured email. That's your regular email. That's because email, in itself—I read somewhere that email was never meant to be a secure process, so it really is not a secure document exchange method. But it's something that we all have and if we have to get the vendor set up using email, then that's all we have to get the documents.

00:15:31

So what's wrong with email? Why is it so risky? Well, the first thing is that there's really no way to confirm who the actual sender is, especially in today's climate where fraudsters can be in your vendor's actual email inbox. And so if that's the case, if you're collecting as a part of this effort to get their Social Security Number, then the vendor or the fraudster may have access to that. Plus, the fraudster can follow that up with, "Hey, as long as you're updating my Social Security Number or my tax ID, I want to report a bank change." 

00:16:21

So you're already in the mode of updating and so fraudsters may take advantage of that and try to submit a change of remittance, either banking details for electronic payments or remittance address so they can divert checks. They may take advantage of it. And why not? So that's always an issue. 

00:16:53

Plus, beyond that, you can have misdirected emails. So it could be that your vendor is going to CC the person at your company that they are doing business with, so now an internal team member has access to a Social Security Number that they have need for. So why expose it to them? So it's just a weak access control. 

And then I've heard about—and we used to have it, too, when I was a practitioner—email encryption, where end-to-end you can convert that email into unreadable code so it only goes to the intended recipient. But the problem with that is that when the vendor sends that back, unless they are configured the same, when they send that W-9 back that contains the Social Security Number, it may not have the same encryption with it. That's just exposing it. It can be unencrypted, so it just, again, exposed that sensitive data. 

00:18:12

Grace Berube: Got it. That makes sense.

Debra Richardson: So that's one. And then another thing—and this also goes through email. I've seen where they have this process in place that password protects a document. So you'll send a password-protected document. Let's say your vendor sends that to you, a password-protected W-9. And then they'll send the password via another email. I will say that this is something that way back in the day—I don't know if it was even secure back then, but it was done a lot. I don't know if anyone's still doing it today, but, if so, that's really not—I don't know if it was secure back then, but it definitely is not secure now with fraudsters being in our emails because they can get to both.

00:19:12

Grace Berube: Right.

Debra Richardson: Again, not sure if that was ever a secure way of protection. But another thing surrounding email is with shared inboxes. I see this a lot. You may have a small AP team and you've got some team members that are doing invoicing, some team members that are doing vendor setup and maintenance, and all of that information—all the documents, the invoices, the vendor documents, including the W-9—is coming to this one shared AP inbox, like a shared inbox.

00:19:55

The problem with that is that the team members that are processing invoicing, post the invoices, they have no need to see the W-9 that could have that Social Security Number on it. They just don't need to see it. It's just opening it up to either internal fraud, especially if you're collecting banking details, too, because that information can be intercepted and updated. So it's easy access for internal fraud, but it also opens them up to be—if they were social engineered, now they can be social engineered out of sensitive data that they didn't need to have in the first place. 

00:20:42

So I see that a lot. I always recommend, if you're using email to collect documents or even just for inquiries, separate them. Have a separate email inbox, shared inbox, for the team members that just do the vendor setup and maintenance process. That protects any information that's coming in by email from other team members that just don't need to have access to it. 

Grace Berube: Totally. That makes sense.

00:21:19

Debra Richardson: So that was the third one. And then the fourth one—this one, again related to emails, is when you're sending emails, when you're doing that, let's say the IRS does publish the draft W-9 today as-is and you determine or your company determines that, yes, you do need to collect the new version of the W-9 from all of your existing vendors that are that first tax-class individual/sole proprietor and they gave you an EIN. And so now you've got to go back and collect the Social Security Number.

I consider that a mass collection and so what I have seen happen is—you know when you're sending an email to multiple team members, but you don't want them to know who's on the email or have each other's email address, but you want to just send one email to everyone, and so you BCC them and maybe put your email address in both the—it's going to be in the sender's email anyway, but maybe you put your email address in the CC, or however that's done so that you don't disclose who else is on the email string. Except, invariably, somebody somewhere is going to forget that part, and instead of BCC'ing—you have to actually reveal the BCC sometimes in your email in order to see it—everybody gets CC'd and then it goes out. 

00:23:11

That's not good because, one, some of your vendors are going to blast back and they're going to be very angry because now all of the vendors on that email string have all the other vendors' emails that could be used for God knows what, or whatever other purposes. They will point that out very angrily. That's one reaction. 

The second one is you can get some vendors that will happily reply—reply all, by the way, with their W-9 that has their Social Security Number on it. 

Grace Berube: Oh, my gosh.

Debra Richardson: And then happily asking if you need anything else.

Grace Berube: Oh, my gosh.

Debra Richardson: Yes, that happens. It's not a feel-good moment when it happens. You do have to get through it, but that's another bad habit. And this is one that is probably the least intentional because nobody intends to do that, but it can happen and it has happened. That's another reason just not to use email.

Grace Berube: So many big email problems here. It's like that's the common denominator.

00:24:44

Debra Richardson: Yes. But the last one, number five, doesn't necessarily have anything to do with email, but I will tell you a lot of accounts payable or vendor teams use this method of collecting documents from vendors in order to add new vendors or update existing vendors, and that's collecting the documents from the internal team members. This is where the internal team members that are doing business with the vendors will collect the vendor setup forms, which, again, can include the W-9, or should include the W-9 that can have their Social Security Number on it.

But the problem with that is you don't really know who or where those documents came from. I mean, for all you know, they could've come from crook.com, or they could've been social engineered, or could be social engineered, and now they have the sensitive documents—not just their Social Security Number, which is really bad, but they also have the banking information 'cause they're collecting it. 

00:26:02

Normally, when I talk about the vendor process and avoiding fraud and fines and bad vendor data, the first thing I talk about when anyone asks about internal team members is I talk about removing them from the process. It doesn't mean you can't get the vendor contact information from them. You can, but then you take that contact information—which is great because we always have the right contacts for AP, so we're getting it in that process—and then the vendor team will reach out to the vendor and collect the documents. So you still need the internal team member because you still have to get the folks that you need to deal with, but then get that contact information and reach out to the vendors directly. 

00:26:56

I will tell you this, Grace, we learned that the hard way when I was a practitioner. We were already putting in a vendor self-registration portal, and as a part of that months-long process, we did just some meetings with stakeholders that submitted the majority or large volume of W-9s to us. So what we didn't know is—because that group was collecting the W-9s and the other documents we required (before we got to the portal), what we didn't know was that, number one, they were keeping all that data, all those forms, the W-9s, banking forms, in unsecure fashion on their C drive or on their desktop. 

00:27:51

They don't get rid of that information or those forms, especially if you had to go back and forth and back and forth until you got a good one, because they don't want to have to go back and get it again. And so they're saving that information. And not only that, this one group, they built an access database to put all that information in. We're like, you're doing what? So then we had to go and get our data governance team involved because they were saving sensitive information in an unsecure database. It was like, you're doing what? 

00:28:34

So I always say, make sure you take the internal team member out of the middle of the process and you deal directly with the vendors. That would especially be true if you are collecting the W-9s because or as a result of this new W-9 being issued, and you have to collect the Social Security Number, which is like the ultimate of sensitive personal information. 

Grace Berube: Yeah, I think those are all really, really good tips. You also wrote an article for us that kind of outlines a little bit more, so talk to us about that. That should be on the website right now.

00:29:13

Debra Richardson: Yeah, so I'm giving you all of these bad habits that can put your vendors' sensitive data at risk, but I also wanted to provide some recommendations for how you can collect that information securely or really any of your vendor documents securely, outside of risky email. Now, it doesn't mean that you can't use regular email for instructions or things that don't reveal any sensitive data. But when it comes to collecting it, you need to have a different process for that, maybe even different tools.

00:30:01

And so that is what I will talk about, or I'm talking about, in the article as well. It's great to know what you shouldn't be doing, but you should also know what else is out there to replace these bad habits and things that would be considered secure collection, which means they have identify verification. It's a controlled submission. There's restricted access. You get none of that really with email. And you also need to make sure you have an audit trail as well. We'll put a link to that, right, Grace, in the show notes for the podcast? 

Grace Berube: Yes.

00:30:45

Debra Richardson: Then go directly from this one to that one and determine which one fits their organization. We'll put a link to that in the show notes.

Grace Berube: Yes, at that point, you should have everything you need to help make those decisions and to help you stay safe during this season.

Debra Richardson: Yeah.

Grace Berube: Thank you so much, Debra. Any final last tips or anything else that you want to share today?

00:31:17

Debra Richardson: Yeah, I just want to check one more time and make sure the IRS hasn't published it. I don't know what time of day it would actually come out, but check again here. Yeah, it is not published. So when I say I'm checking it, I am just going to the IRS website, typing in "W-9," and then you pull up the actual form and look at the revision date. It still says March 2024, so that's great. I also recommend you look at the draft tax forms site, too, on the IRS.gov. Just type in "draft tax forms." And that way, if they update the draft, which [with] the March 2024 one, they updated it a couple of times. You can keep track of that, too, but I checked that, too, and there are no updates to it. We'll see what happens with that form. But if you've got to collect them, make sure you don't collect them in the five ways that I talked about today, and then make sure you check out that article for recommendations for how to securely collect your vendor's W-9.

00:32:28

Grace Berube: Those are all such great tips. Thank you so much, Debra, as always. We’ll have you back on the podcast for a few episodes this season, so we look forward to hearing from you more then.

Debra Richardson: All right, Grace. Looking forward  to it. Thank you.

Grace Berube: Thank you so much.

Thank you so much for listening to the IOFM podcast. Remember to head on over to the Member Forum to discuss today's episode and provide ideas for our next one. And to stay up-to-date on IOFM's current events, both in-person and virtually, head on over to IOFM.com. 

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

Receive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

Receive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.