The Latest Threat CISOs Cannot Afford to Ignore—Business Payment Fraud

[By Shai Gabay, CEO, Trustmi]

As if the list of things keeping CISOs up at night wasn’t long enough, cyberattacks on finance teams and business payment processes are now a priority because they are in the bullseye of bad actors.

According to a 2023 webcast poll from Deloitte Center for Controllership™, more than 48 percent of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. This puts CISOs on notice.

One reason for the growth of cyberattacks is that finance departments and their B2B payment processes are highly manual and, therefore, vulnerable. Additionally, finance teams continue to rely on disparate systems with siloed information, creating a lack of visibility across the entire payment workflow. That lethal combination results in growing blind spots and human errors. This challenge is compounded by understaffed finance teams that are stretched thin and overwhelmed by the sheer number of invoices and payments that teams must process regularly.

Add it all up, and identifying potential signs of business payment fraud is like looking for a needle in a haystack. Some top sources of struggle for CISOs include Business Email Compromise (BEC), vendor supply chain attacks, and cyber attackers’ who are cranking up their use of AI.


Here’s a look into each of these areas: 


Business Email Compromise (BEC): BEC attacks have existed for some time. The FBI began tracking BEC more than a decade ago. But today, the focus of these attacks is not just ransomware and data theft. They are targeting finance teams by impersonating legitimate vendors and sending fake invoices to companies. The goal of these efforts is to illicit financial gain. The 2022 FBI Internet Crime Report found the following:

  • The FBI found attackers are spoofing legitimate business phone numbers to confirm fraudulent banking details.

  • According to research from the FBI Internet Crime Complaint Center, $50B was lost on business email compromise between 2013-2022.

AI: Arguably, the most significant security challenge facing CISOs and the finance department stems from AI. In what seems like the blink of an eye, cybercriminals are using AI to create written, voice, and video communications so convincing that many human experts cannot separate the real from the fraudulent. This includes anything from a phishing campaign to chatbot conversations and video conference calls. 

In what may be the most recent high-profile example, earlier this year in Hong Kong, attackers used a deepfake of a CFO in a video conference to trick a finance employee into making a fraudulent $25 million wire transfer. More recently, an employee of the TV network owned by the Boston Red Sox was convicted of creating fraudulent invoices from a legitimate vendor. He was able to steal $500,000.  

Supply chain problems: Supply chain attacks have been around for some time with one victim being SolarWinds. However, not all supply chain attacks are the same. Today, some attackers are exploiting a company’s vendor supply chain rather than attacking the software supply chain and installing malware. Vendor supply chains are extremely vulnerable  because third-party vendors lack the same levels of security as larger enterprises, making them easy to exploit. 


Once the vendor is integrated with the larger business, the fraudster acts by, for example, impersonating a vendor and changing their payment details to shift the payment to themselves. This is a threat that all companies must be wary of. According to research from the Cyentia Institute, the average organization has approximately ten third-party relationships, and 98% had at least one third-party partner who had suffered a breach. For larger businesses, the number of vendors can be in the hundreds of thousands, which means there’s an even larger risk that these enterprise organizations are working with third-party partners at risk of a security breach.


Securing Finance with AI

If any of these threats have not impacted your business, it’s likely only a matter of time.  The best tool to have in your CISO tool belt is AI. More specifically, an AI system that can analyze vast amounts of data in real time and, in the process, continually improve fraud detection capabilities. Today, AI-based analysis systems can monitor and analyze all aspects of the process, from vendor interaction to payment. From there, these systems can provide real-time risk and trust scores, identify discrepancies or anomalies, send alerts for potentially fraudulent activities, and work seamlessly within the current process to ensure easy implementation.


Regarding the supply chain, AI can replace wildly outdated manual processes by efficiently managing and securing every vendor, whether you have 1 or 100,000.  And this includes fourth-party vendors as well. 


Look for solutions that can identify all vendors, provide complete visibility into their management, monitor vendor activities, track and control their permissions and access to internal systems, and enforce security practices. In addition to managing vendor profiles and changes to their payment information, it’s vital that your AI system can secure the entire supply chain lifecycle, including the initial onboarding process. This is necessary to provide full supply chain protection.


For today’s CISO, the threats never stop. As attackers expand their list of targets, security teams must be prepared to identify and mitigate each, whether a BEC, vendor supply chain attack, or AI-fueled deepfake swindle. The good news is that CISOs can fight fire with fire by tapping into AI to identify suspicious activity and stop it in its tracks, no matter which department is being targeted. 


Shai Gabay Bio

A visionary entrepreneur, Shai Gabay has always held a deep passion for cybersecurity and fintech, and over the course of his career, he has developed his expertise in both areas. Currently, Shai is a co-founder and the CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Prior to Trustmi, he was General Manager at Opera, VP of Product and Services at Cynet, CIO at Cyberbit and the CISO at Discount Bank.


Shai holds a Bachelor’s Degree from Shenkar College in software engineering, and also a Master’s degree in Business Administration and Management from Tel Aviv University.  Additionally, Shai was selected for the prestigious 1-year full scholarship executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of IDF’s Elite Units. Through this program, he had the opportunity to study with prominent co-founders and leaders at renowned global tech companies and professors at elite universities.


No posts to display