Naturally, we focus on the downsides of COVID-19, but for some there has been an upside. Less acknowledged than providers of video conferencing, but flourishing nevertheless, are supply chain fraudsters. It strikes me that had Supplier Payments Fraud Corporation been established and publicly traded (which thankfully it is not), we would have probably seen its revenue and stock price rocketing as well.
How does supplier payments fraud work?
Essentially, the fraudster’s objective is to reroute a due payment to another bank account. Such fraud may originate externally by a deceitful individual or business, or it may be committed by an employee within the victim organization.
The preferred method used by external fraudsters is fake emails and social engineering to impersonate a supplier. Hacks into email accounts to intercept and modify invoices, as well stealing user credentials to impersonate employees, are increasingly popular. While requiring a more competent attacker, we’ve also seen specialized malware targeting Enterprise Resource Planning systems. Meanwhile, malicious insiders might abuse their access to commit fraud, and their familiarity with the environment to bypass controls and cover their tracks.
A recent cybercrime investigation by a KPMG member firm found a fake business email asking the company to remit payment to a different supplier bank account. On receiving the email, the company did not suspect the request to be unusual, despite the bank account being in a foreign country, with the request in an uncharacteristic writing style from an incorrect sender email domain. In this case the company did not call the supplier to verify the change in details. Perhaps most interesting was the method used to perpetrate the fraud. The fraudster first hacked into the email account of the customer’s procurement associate. While intercepting an incoming legitimate invoice, the attackers were able to modify and resend the falsified invoice, asking to change the bank account details. The result: hundreds of thousands paid to the fraudster.
In another high profile case, an international corporation was defrauded using a spoofed voice mail generated by DeepFake AI, as a follow up reminder to a spoofed email allegedly from that same person. The result: a multi-million loss sustained through a single transaction.
Why does it work?
Analyzing numerous cases, key patterns become clear:
- Humans do not always follow procedures: Be it lack of awareness, knowledge or discipline, the sad fact is employees do not always act according to the defined manual controls.
- Tech-powered attacks bypass manual controls: cyberattacks where accounts or systems are hacked can circumvent manual controls. A hyper-connected, fast-paced workplace that stresses our attention span is fertile soil for well-crafted social engineering attacks.
- Organizational silos create gaps: procurement and finance teams as business process owners, accountable for payments fraud prevention, may be well aware of the problem but lack the technical knowledge of how such cybercrime attacks might materialize. IT Security professionals, on the other hand, possess the technical understanding yet focus on generic infrastructure defense rather than on specific business processes. Fraudsters exploit this disconnect, attacking business processes with technical means.
How has COVID-19 affected supplier payment fraud controls?
The rapidly changed work environment, forced by COVID-19, has amplified opportunities, allowing supplier payments fraud to be on the rise:
- Social distancing means remote, virtual and digital interactions with suppliers and colleagues. Coupled with the accelerated switch to electronic, faster payments, this increases the risk of human misjudgment and rushed approvals, resulting in undetected fraud.
- Changes in supply chain which are driven by changing needs, struggling suppliers, or cost containment measures overload procurement and finance teams, limiting time and attention they can apply to suppliers due diligence.
- Heightened insider fraud risk at times where personal or financial stress due to restructuring, pay cuts, suspended bonuses or forced unpaid leave can lead to a heightened rationalization to commit fraud, while relaxed controls present a tempting opportunity.
- The gap between business and IT security just got wider, with companies’ IT focused on enabling work from home, while business teams struggle to adapt to modified business processes.
- Fraud attempts have increased in double- and triple-digit percentage, exploiting times of personal stress and interest in content related to the pandemic to deploy tailored phishing and malware attacks.
- At the same time, attacks hit rates are on the rise, for example click rate by non-suspecting victims five times its level before the virus outbreak.
What can you do?
- Assess and test your existing controls from the attacker’s point of view. Threat modeling and simulated fraud testing will help you understand your true controls effectiveness (or lack thereof).
- Apply automated business process controls to reduces manual intervention, ensure controls coverage and increase confidence in the controls effectiveness. Validation of supplier bank account details would be a great first step, applying new and automated approaches such as API-based queries to external data source or auto-triggered managed services.
- Avoid a single point of failure. Take a defense-in-depth approach, mitigating different fraud methods at multiple points along business processes. For example, automated checks embedded in supplier onboarding or change process are effective against external attacker, social engineering and impersonation; while checking every payment during a payment run addresses malicious insiders or malware attacks that modify banking details for existing suppliers.
- Consider external intelligence as safety nets against potential compromise of internal controls, systems and data. It may be a positive, such as “100 other companies have made 250 payments to that supplier and that specific bank account over the last 12 months – with no rejects”… or a negative, red flag such as “100 other companies pay that supplier, but only to a specific bank account”.