Trustmi Talks

It’s Time to Rethink the Security of the Business Payments Cycle

The Trustketeer
7 min
It's Time to Rethink the Security of the Business Payments Cycle
It's Time to Rethink the Security of the Business Payments Cycle

Let’s start with one indisputable fact: enterprises fail to gain the upper hand against B2B payment fraud, with 84% of enterprise companies affected by it in 2022 alone. This number reveals that there is a blind spot existing in cybersecurity technology and practices.  That blind spot is the business payments cycle.  

Let’s examine how this cycle works and how its siloed and manual nature introduces numerous gaps that threat actors can leverage. Our analysis, and the insight it provides, will lay the foundation for finding a solution that can overcome these inherent weaknesses, thwart malicious attacks, and enable organizations’ cybersecurity and finance teams to regain trust in their business payment processes.  

Silos and Manual Validation Expose B2B Payments to Attacks

Unlike B2C payments, which involve a single user making a payment, the B2B payment process comprises multiple stakeholders in a complex cycle. There are several consecutive steps from the initial generation of an invoice until the actual money transfer to the supplier or vendor.

While the diagram above looks simple, there are dozens of steps within the process that add complexity. And each of these steps is associated with a different individual, or sometimes groups of individuals, within the organization who implicitly trust the integrity of the previous steps. The handover between each step creates an opportunity for attackers that seek to obtain a foothold within the organization’s infrastructure to act as a middleman between different steps.  

To get a sense of how vulnerable the process is, consider this: when you receive an email with an invoice, you don’t have any built-in mechanism to ensure it’s from a vendor you actually work with or if it’s a fake document. When you upload the invoice to the ERP system, the system doesn’t have a way to validate that you are the actual person accessing it and not an attacker with your compromised credentials. When the payment is sent to the bank for approval, the validation process for the bank to know that it’s the Finance employee that sent it isn’t enough to block an incorrect payment, and so on and so forth. Similar gaps exist in the vendor onboarding process and throughout the payment approval cycle.  

Apart from the complexity of the process, there’s also the manual aspect. It is well known that humans are the weakest link in the security architecture. Apart from the standard social engineering techniques that bad actors use, there are aspects that are unique to payment cycle attacks. Fraudsters have become very skilled in creating fake documents and rogue user accounts that can easily bypass any manual review, especially when it’s done hastily by an employee that has hundreds of other tasks.  

The Tale of the Marketing Manager and the Vendor

To illustrate the challenge, let’s simplify matters by picking a very basic and common scenario to show how even a three-step process (omitting vendor onboarding, interaction with the bank, and issuing the actual payment) has inherent security gaps that can be exploited:

A marketing manager engages an external filming vendor to shoot a marketing video. Mapping it to the first three stages in the diagram above we get the following:

  1. The vendor issues an invoice for filming the video.
  1. The vendor emails the invoice to the marketing manager.  
  1. The marketing manager either forwards the invoice to Finance or uploads it to the ERP system.  

Sounds simple.  So, where’s the problem? To answer that we need to introduce implicit trust into the equation.  

Implicit Trust and the Payment Process  

What is implicit trust? For our purposes we can define implicit trust as an assumption that a persons’ integrity can be taken for granted without validation. In many cases, this trust is founded upon previous experience. In our sample scenario, let’s assume that the marketing manager has already been working with this vendor for a couple of years and has issued payments that were successfully received and paid. We’ll now reflect on how implicit trust is the common practice within the first three steps of the payment process we’ve described above.  

  1. The marketing manager, when they receive the emailed invoice, implicitly trusts that the real vendor sent it to them.  
  1. When the invoice is forwarded to the finance team or is uploaded to the ERP system, the finance team implicitly trusts that the marketing manager was the one who completed this task.

There is no reason for there not to be implicit trust in this type of scenario because the process appears to be working the way it always has in the past with this vendor.

Adversaries Leverage Weaknesses in the Handover Between Payment Steps  

But threat actors can take advantage of implicit trust between internal teams at a company. The first step is to gain a foothold within the environment that would give the attacker visibility into the payment process. Once they have access, then executing the rest of the attack is easy.  

Consider an attacker that has already compromised the marketing manager’s email inbox. They can exploit implicit trust by sending the manager a fake invoice with the vendor’s name but a different bank account number or fund transfer destination. They can also exploit implicit trust by sending the finance person a fake invoice on behalf of the manager.  

Take this scenario, add several more steps to the process for approvals and funds transfer, and multiply that by all the thousands of transactions that take place within the enterprise each month. The magnitude of the problem enterprises face when it comes to intercepting and diverting business payments can be enormous.  Worse yet, it’s a problem that they fail to solve.  

Consolidating All the Pieces into a Single, Context-Aware Layer

The fragmented and manual nature of the business payment cycle is among the leading reasons this process is so vulnerable to cyberattacks. A solution that fends off attackers of business payments should address these weaknesses directly.  

A solution is required that can connect all the pieces in the puzzle, such as the email inboxes, the ERP system, vendor profile data and behavioral patterns, and more. This solution must then continuously monitor the payment cycle with two fundamental enhancements.

1. From implicit trust to​​ AI-based validation  

The first step is to eliminate the implicit trust from the equation. To achieve that, the solution analyzes the components of each step to validate the integrity of the process. For example, when an invoice is received by email, the solution would inspect it to ensure that it is indeed a genuine invoice, issued by the vendor and not a fake one. An AI-based analysis can spot the various places in which a fraudulent document deviates from a legitimate one received in the past, however small those deviations are.  

2. From siloed steps to a continuous process  

Equally important as the individual security checks at every step is the ability for the solution to acknowledge the full context of the payment process. Following the example above, after the marketing manager receives a legitimate invoice from the vendor, if the attacker attempts to forward a fake one to the ERP system, then the solution will be aware of the difference between the real invoice and the fake one by comparing the fraudulent one to past real invoices its “seen” from that vendor.  The solution would then be able to determine from anomalies in the fake invoice that the process is compromised.

Whenever the solution encounters an anomaly that indicates potential fraud, the solution blocks the payment and alerts the related individual with all the context and information that is required to fix the problem and prevent money loss. In this way, the people involved in the payments process can implicitly trust the platform to alert them of suspicious events and stop wrong payments from happening.  And in this way, B2B payments can transform into a fully trusted process.

Do you find this vision compelling to your payment security needs? At Trustmi we’ve turned it into reality. Reach out to one of our experts to learn more.