Payment Security 101
Learn about payment fraud and how to prevent it
Why attack a company’s well-guarded system when it’s easier to target one of its suppliers, who may be less protected? Supply chain attacks work when hackers gain access to their target through a vendor’s compromised credentials or infected systems.
These notorious attacks can occur to a business and create a chain reaction potentially affecting the suppliers and customers. Not only are attackers becoming more sophisticated with their attacks but they are improving each attack with better, smarter methods like brute-force attacks or impersonation of an executive.
Businesses must stay vigilant. The supply chain statistics highlight the potential fraud risk to many organisations and how it can affect Accounts Payable teams.
Numerous companies in a variety of industries over the last decade have had their reputations threatened and finances imperilled by problems within their supply chains. Most of the attacks appear to happen due to a lack of robust processes to identify and successfully manage growing supply-chain risks.
Supplier insolvency occurs when a business cannot afford to pay its outstanding debts when they are due. Controlling and keeping tabs on the hidden risk factors and financial health of every supplier in complex supply chains that extend across international borders can be difficult. They are not only hard to predict but difficult to detect.
Data security in supply chains is more of a concern now than ever before because of data breaches happening all the time. As a result, supply chain risk should be a priority for all businesses. Businesses must implement layers of security to mitigate the risk of being frauded or scammed.
Based on reports from Symantec, the number of supply chain attacks increased in 2018 by 78%. Hacking is also increasingly utilised to break into networks and spread false information. One way is through phishing emails or Business Email Compromise that consists of an executive impersonation.
Unlike phishing emails, other types of supply chain attacks can happen, like ERP unapproved access and backdoor access through open source or software. These are heavily relied on by accounts payable teams for several purposes, like working and running daily tasks.
Employees involved in the supply chain often overlook third party vendors for ongoing cyber risks. According to the European Union Agency report, 66% of supply chain attacks target suppliers, 62% exploit the trust of customers and more than half of software supply chain attacks use malware to exploit businesses.
Organisations need to be aware of every third party they come into contact with in the supply chain including contracted maintenance companies and suppliers. Any individual with access to the business’s network or interaction throughout the supply chain could be a risk. For example, insider threats can pose a bigger risk to a business than an external attack.
Many businesses depend on Information Technology teams and cyber security professionals to protect them from fraud. CFOs should view cyber security as a fundamental and important function. Not only are they vulnerable to the direct financial loss of their own funds, but they also run the risk of loss of the suppliers they do business with.
Strong security is no longer enough to protect organisations when they are facing attacks by suppliers. Attacks by these people go overlooked, making it difficult to notice. These attacks are usually planned for months by attackers who explore multiple ways to infiltrate organisations by targeting their suppliers.
Most accounts payable teams expect software vendors to be secure and do not test them for liabilities down the digital supply chain. Security research finds that 32% failed to re-assess their vendors regularly or onboard new vendors. CFOs must work together with supply chain managers to prioritise their security and the security of their supply chain.
Once an attack surfaces, such as a data breach, stolen data is still being used after the attack. The sensitive data can be later used to penetrate other third party suppliers or sold on the dark web. If a new vendor is onboarded, it might mean that a new attack is underway.
Stuxnet is a computer worm that first appeared in 2010. This malware has been in development since 2005. The initial objective of the planned Stuxnet attack was to quietly sabotage the computer security firm. Before long, over 100,000 computers were infected with malicious files and many important industrial control systems had degraded in real time.
The data breach of Equifax compromised 147.9 million American personal records, as well as 15.2 million British citizens. The breach was executed using a flaw in the externally managed software that the company depended on. Sad to say, the business and the executives were accused in the aftermath.
SolarWinds was one of the most damaging supply chain attacks that people have seen. Attackers compromise widely used software at the source, in turn giving them the ability to infect anyone who uses it. More than 18,000 organisations were affected, and officials at the US Government classified it as one of the worst data breaches to hit the US government according to CNN.
2021’s largest ransomware attack to date was the Mimecast incident. Mimecast issued certificates for authentication with Microsoft 365 Exchange Web Services that were compromised by a sophisticated threat actor. Approximately 10% of Mimecast customers have to use the affected connections.
ASUS’s 2018 software update has been hijacked by hackers who had programmed a form of backdoor which could affect up to 500,000 computer networks. A form of supply chain attack that occurs frequently is hijacking software updates.
The average cost of a data breach, according to IBM and the Ponemon Institute, is around USD 3.86 million. For companies that were targeted by a supply chain attack, the cost can be heavy because the attack may lead to fewer recovered funds.
Healthcare and financial industries are sectors that cyber criminals heavily target for supply chain attacks. The malicious malware often deployed in these attacks is well hidden, often being deployed to hundreds of organisations. Third-party vendors who install the software are setting it up to be easily compromised by hackers.
Security consultant Kaspersky tells us that each time there is a supply chain attack, it becomes more costly. Businesses can head off this by securing their digital assets through stronger endpoint protection that offers effective detection and response mechanisms.
SolarWinds incurred $3.5 million in expenses last year due to an attack on its supply chain. This includes investigating and fixing the situation, as well as future claims and additional investigations. SolarWinds Inc. doesn’t just suffer financial losses but lost productivity, data destruction, and damage to its reputation.
Out of 900 people surveyed, the vast majority (94%) said they’d been negatively impacted by supply chain disruptions. They blamed financial, cyber, environmental, social, and governance (ESG) transparency issues for the problems. For example, executives must consider all the risks involved with selecting third-party vendors and any technology that may be used when onboarding them.
REvil ransomware was a virus that spread after being discovered as a consequence of an MSP supply chain attack. Over 1000 businesses were targeted through the software supply chain attack. Once the victim’s data is stolen and they are unable to access it, the hackers have asked for $50 million.
Supply chain organisations can have a large number of external connections, often to critical infrastructure organisations. The prevailing mentality in supply chain attacks is hack one, breach many. Once a weakness is exposed to a business’s security system, it affects its supply chain, as well.
Domain-spoofing is a tactic commonly used by cyber criminals that involve impersonating businesses, providers, or suppliers to trick their targets into giving up large sums of money. One well-known example is a community housing non-profit that was defrauded for over 1.2 million dollars. Domain spoofing along with a business email compromise was able to successfully fraud the not-for-profit.
Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. One example is Operation Dragonfly, a cyber intelligence group that was created to sabotage or gain control of the systems of its victims.
When an attacker makes an upstream attack, they may compromise an upstream system like an update for users downloading (downstream). For example, an attacker infects a server with a malicious update. Most users aren’t aware of upstream attacks or how severe they can be. All stakeholders must be informed about the risks involved in cyber security in the supply chain.
Passwordstate, an Australian software house, operates a standalone web server that organisations use to store and share passwords much like a cloud-based system. Recently, they experienced a supply chain attack where the attacker gained access to Passwordstate’s update services.
One result of the recent software update is that anyone who updates their software during the attack will most likely have undetected malicious software installed. This affected enterprises that use software like banks, universities, consultants, government agencies, and defence contractors.
One example of a destructive supply chain attack is the SITA data breach. Reports state that the Passenger Service System in the U.S. was stolen. This affected other airlines that had shared data with SITA such as Singapore Airlines.
The airline stated that 580,000 frequent-flyer program members were affected by the SITA breach. Sharing data alone was believed to show how the attack was able to spread across the entire supply chain.
Keep in mind that a security incident like NotPetya is an important event that all CEOs and accounting departments should be aware of. Accounts payable teams using accounting programs have high supply chain risk.
NotPeyta involves an accounting program through the app’s auto update functionality to push malicious updates to the software users on three different occasions. As a result of these updates, they opened backdoors that made it easy for cyber criminals to remotely install the NotPetya malware.
On July 2, 2021, the managed service providers and their customers became victims of a ransomware attack called the Kaseya attack. They found a security breach in the Kaseya software, which enabled them to bypass authentication and run arbitrary commands. More than 1,500 small and medium sized businesses that rely on third-party IT contractors were impacted by the ransom attack.
There are several types of cyber attacks that can target supply chains, and invoice fraud is one of the most common. This type of attack usually involves criminals redirecting business payments to their own bank accounts. Impersonation is more aligned with an act of a business email hijacking, pretending to be an employee or vendor.
Data collected by the ACCC suggests that businesses lost more than $128 million last year to scams of all sorts – close to $2.5 million each week. Invoice fraud may include fraudsters changing bank account details, sending forged supplier invoices, and intercepting and altering legitimate invoices.
Some fraudulent invoices carry malicious code, including viruses that can negatively affect the performance of a business’s finances, data storage, and future profit-making.
To go from invoice to being paid, the invoice can undergo several phases. But invoices can be edited in transit to avoid detection. Scammers use techniques such as faked invoices and imitating them through callback confirmations. Any errors in this process can result in a fraudulent payment.
Unlawful Business Email Compromise scammers will either send a fraudulent invoice, pretending to be legitimate, or take over payment to their own account. To avoid this, cross-check email addresses, verify with phone contact, and talk to them in person.
Invoice fraud is a criminal act that impacts all stakeholders of a business regardless of size or shape. However, the primary targets are business executives or junior employees. Employees of lower rank, or who aren’t versed in current scam trends, are more likely to fall victim to invoicing fraud. The outcomes are only getting worse, with more and more people becoming victims each year.
Scamwatch states that in one instance, a staffer was scammed by invoicing fraud during an attack that cost over $16,000 in a single transaction. If an employee notices an attack, they should talk to their Area Manager and Chief Financial Officer to either stop the attack or keep it from happening in the future. For example, checking software updates, changing email settings, and using strong multi factor authentication are good methods to mitigate the risk.
Sadly, even top major businesses are victims of invoice fraud. Some of the big headlines to come out of the FBI’s recent report include the Shark Tank Investor and Amazon case studies. In the Amazon case, a hacker influenced data to fool the system and process over $19 million in fake transactions.
Hackers nowadays use several BEC tactics to break into financial accounts. Such tactics include spear phishing and the theft of login credentials. Generally, the most common choice tactic is targeting large enterprises with payment fraud and invoice fraud because they can reap more money. Victims might not be able to detect their security was compromised, especially with such a simple hack process.
The most common risks in supply chain companies are data leaks, supply chain breaches, and malware attacks. Data leaks can come from both internal and external sources. Intrusions and breaches by internal threats, including competitors, managers, and hackers, may release confidential business information.
Most security breaches happen when a hacker or a malicious user gains access to an operating system or network without authorization.
Companies should always stay vigilant to threats against their supply chain, and when adding security or protection. CFOs should be mindful of all the risks, including the third party vendors they partner with. The greatest risk in the supply chain is unverified or dishonest vendors. If you do not verify a vendor and instead you take their word, that is not enough to take proper security precautions.
For CFOs to be able to prioritise cyber security in their supply chain, it’s critical not to take shortcuts when it comes to third-party due diligence and screening. The typical process includes screening, verification, and creating policies like zero-trust to minimise the chance of attack.
Although no business is completely safe from supply chain threats. Companies can minimise the risk of attacks and minimise the fallout in the event of an attack by proactively communicating with their IT department and taking action quickly.
Those in a leadership position must follow a comprehensive response plan in order to ensure an efficient response to supply chain attacks. The documented plan must detail each leader’s role at each stage of the incident.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.