Naturally, we focus on the downsides of COVID-19, but for some there has been an upside. Less acknowledged than providers of video conferencing, but flourishing nevertheless, are supply chain fraudsters. It strikes me that had Supplier Payments Fraud Corporation been established and publicly traded (which thankfully it is not), we would have probably seen its revenue and stock price rocketing as well.
Essentially, the fraudster’s objective is to reroute a due payment to another bank account. Such fraud may originate externally by a deceitful individual or business, or it may be committed by an employee within the victim organisation.
The preferred method used by external fraudsters is fake emails and social engineering to impersonate a supplier. Hacks into email accounts to intercept and modify invoices, as well stealing user credentials to impersonate employees, are increasingly popular. While requiring a more competent attacker, we’ve also seen specialised malware targeting Enterprise Resource Planning systems. Meanwhile, malicious insiders might abuse their access to commit fraud, and their familiarity with the environment to bypass controls and cover their tracks.
A recent cybercrime investigation by a KPMG member firm found a fake business email asking the company to remit payment to a different supplier bank account. On receiving the email, the company did not suspect the request to be unusual, despite the bank account being in a foreign country, with the request in an uncharacteristic writing style from an incorrect sender email domain. In this case the company did not call the supplier to verify the change in details. Perhaps most interesting was the method used to perpetrate the fraud. The fraudster first hacked into the email account of the customer’s procurement associate. While intercepting an incoming legitimate invoice, the attackers were able to modify and resend the falsified invoice, asking to change the bank account details. The result: hundreds of thousands paid to the fraudster.
In another high profile case, an international corporation was defrauded using a spoofed voice mail generated by DeepFake AI, as a follow up reminder to a spoofed email allegedly from that same person. The result: a multi-million loss sustained through a single transaction.
Analysing numerous cases, key patterns become clear:
The rapidly changed work environment, forced by COVID-19, has amplified opportunities, allowing supplier payments fraud to be on the rise:
Financial resilience and cash flow have always been important, more so in times of macro and micro economic stress. Focusing on fraud risk mitigation during the COVID-19 crisis can help to safeguard your company’s financial position and better weather the economic storm.
Original article by Israel Aloni, Director, Cyber Security, KPMG in Israel.