Trustmi Talks

The Anatomy of The Payment Cycle: What Can Possibly Go Wrong?

The Trustketeer
6 min
The Anatomy of The Payment Cycle
The Anatomy of The Payment Cycle

The first step to B2B payment protection from fraud is understanding what a cyberattacker is targeting. In the context of fraudulent business transactions, it is essential to gain insight into the various parts of the standard payment cycles and a threat actor’s corresponding attack methods. Here we’ll provide an overview of a few steps within the business payment cycle, and we’ll highlight the unique attack surfaces each step introduces.

In its simplest form, a payment cycle commences when an internal employee at a company engages an external vendor for some purpose, typically to provide goods, services, technology, or any combination of the three. From that point on there is a standard procedure that is common to most organizations that aims to ensure all vendors are authorized as legitimate payment destinations, and all outbound transactions conform to the same processing standards.

Let’s examine three different areas of the B2B payment process and see why each step is vulnerable to an attack. We'll also look at how Trustmi fits in as the best solution to plug the gaps.

#1 Onboarding and Generating Invoices  

The payment process is typically initiated when a company signs a contract, they onboard the vendor, and they receive an invoice from the vendor for payment. Let’s take a deeper look at the onboarding process and what happens when those invoices are generated.

What can go wrong?  

Let’s first look at insider threats, or what we often call internal collusion. There are many cases where an employee can forge an invoice for alleged goods or services for an existing vendor or can create an entirely fictitious supplier and onboard them as if they were real. Often, especially at a large company, the team or individual that handles the onboarding process for a vendor is not the same one that pays the invoices. When it comes to payment cycles, teams are siloed and have no visibility into what goes on in other parts of the procure-to-pay process. Therefore, it is common that the team responsible for onboarding the vendor would be entirely unaware if the vendor is, in fact, real and that they are providing actual goods and services to the company. If an internal bad actor manages to onboard a fake vendor and starts generating invoices, it would be difficult to detect this scheme because they can cover their tracks knowing that there is no visibility across the different stages of the payment cycle. Furthermore, at companies that regularly have thousands or hundreds of thousands of invoices requiring payment, an additional invoice can slip by unnoticed along with the many others in line for payment in the next cycle. This type of internal attack is especially easy to execute for employees who are part of the payment workflow because they know the ins and outs of the process intimately. Detecting internal collusion in general is incredibly difficult without a tech solution. In the same way, an external threat actor can easily compromise the invoice generation part of the payment process by hijacking an employee’s or vendor’s email account. Once they’ve achieved access to inboxes, they can produce fraudulent invoices, send them to finance, and get paid. We’ll discuss business email compromise in more detail in a minute.

How to avoid this

Trustmi can help in this case by verifying the vendors as they are being onboarded, and by protecting the full payment process to ensure that the invoices submitted for payment are legitimate. The platform analyzes hundreds of data points within the onboarding process to create a baseline, or fingerprint, of the vendor to track patterns in their behaviors and activities. Our tech also analyzes the invoices submitted for payment to catch the anomalies and errors on the invoice itself to confirm whether it’s fraud or not.  

#2 Emailing payment data and invoices

As antiquated as it sounds, one of the most common channels for submitting payment details and information for vendors is via email. Moreover, this is also among the most popular ways for vendors to send their invoices for payment.  

What can go wrong?

We’ve discussed in the past how business email compromise (BEC) is a growing problem, and large enterprises are particularly vulnerable to this type of attack. Once a threat actor has gained access to a vendor’s email account, they can follow and monitor all the conversations related to that vendor’s payments. Additionally, they now have access to the email thread that includes the legitimate vendor’s bank account information, tax documents, invoices, and any other confidential information. With access to all this information, they are now able to impersonate the vendor and submit fake invoices.  

When an unsuspecting employee receives an invoice from the vendor, whose inbox is now controlled by a threat actor, the employee will forward the invoice to the finance team as per usual because they implicitly trust the actual vendor sent it. Or they might upload the invoice directly to the ERP system depending on the internal process in place. Either way, when there are many invoices to be paid, it’s not surprising that an employee will want to submit invoices for payment quickly, without double checking that the real vendor sent the email with the invoice.  Most finance teams are resource constrained and don’t have time to double check all the email correspondence as well as the invoice itself to see that these correspond to past patterns for this vendor. And if the hacker submits an invoice for a new vendor that’s never been paid before, then the employee wouldn’t know anyway what the past behaviors, patterns, and invoices of that vendor even looked like.  In this last case, how would any employee ever know that something was amiss?

How to avoid this

This example illustrates how business payment fraud extends beyond attacks on the payment cycle itself.  It can start ahead of the payment workflow, commencing with the communication channels before any invoice even gets submitted to finance. It’s critical to leverage a platform like Trustmi that connects the dots across the entire process, from the very first email with the vendor through to the release of funds and managing the vendor supply chain. There are plenty of point solutions on the market for BEC protection, vendor onboarding and management, or AP process automation, but each of these only solves one part of the problem and won't be enough on its own. A comprehensive platform to avoid cyberattacks and internal collusion, like Trustmi, can holistically address the problems in the B2B payment process, ensuring not only the approval flow is secured, but every step, interaction, and activity across and beyond the process is monitored, analyzed, and protected.

#3 Processing Invoices within the ERP

Most enterprise businesses employ an enterprise resource planning (ERP) system. ERP technologies provide numerous benefits to teams by supporting finance processes, managing supply chain and procurement, and much more. When it comes to paying vendors, ERPs are particularly useful, and employees can easily upload an invoice into the ERP system to initiate the payment process.

What can go wrong?

Unfortunately, like any technology, ERPS are very attractive targets for bad actors because they contain so much valuable information across an organization. ERPs are also highly susceptible to hacks and compromise because of their myriad vulnerabilities. Because the ERP centralizes so much information, it typically has many users in an organization, and every user with access becomes a point of potential attack. Furthermore, it’s common that many of these users receive full access and privileges to the ERP that they probably shouldn’t have because the system is not always appropriately monitored. And because of advanced access levels, some users might override ERP system controls to circumvent the established system protocols that are in place to provide some measure of security. Additionally, internal security teams are not typically the owners of ERP systems, so they aren’t empowered to enforce controls, security compliance, and governance standards. There is also the risk that employees decide to export data and upload data into the system manually rather than working directly within it. At organizations with limited tracking and monitoring in place, this can wreak all sorts of havoc on the storage and management of very confidential financial information.

How to avoid this

A solution that layers onto existing systems and processes is key in this case. A platform like Trustmi doesn't just integrate into one system, but all the systems involved in the payment process including ERPs and other tech tools involved in paying invoices to vendors. Our system can enforce controls to allow only the necessary employee access to all the finance tech stack. The monitoring and detection our platform provides can also be applied to situations where an employee attempts to override any existing controls in the ERP, which can lead to duplicate payments or overpayments. Also, Trustmi’s platform looks across the entire payment process and connects all the dots to provide comprehensive security, which includes protection against ERP attacks. We seamlessly integrate with ERP systems so that companies can monitor all the activity and changes made to vendor profiles and activity data within the ERP. If deviations from the vendor’s baseline are detected or suspicious activities are identified, then the appropriate people in the process are alerted. Systems like ERPs can be a blind spot for many organizations, so a platform that can provide visibility into which invoices are uploaded and being paid and whether any of the payments are at risk or not is critical.  

The Silos Within the Payment Cycle Make it an Easy Target  

Through any one of these points of vulnerability outlined above, a threat actor can gain access, create vendors, upload invoices, and engage in any number of activities to steal funds from an organization. In the case of internal collusion, these same activities can be more deviously executed and even harder to detect because the bad actor is already familiar with the processes involved in paying invoices at that company.

We only discussed three points of attack and compromise within the payment cycle here, but there are many others we've seen. Because the process is so complex and has so many weak links there are numerous ways in which threat actors implement attacks to target the inherent vulnerabilities. An important characteristic to note that makes these attacks possible is that each step in the process operates in a silo and no one can ever see the whole picture of what is going on. For example, an employee’s inbox can’t validate the authenticity of an invoice and confirm whether the vendor that sent it is real. Similarly, the ERP system cannot verify that the uploaded invoice was uploaded by the employee whose credentials were used, nor can the ERP validate that the actual goods and services outlined in the invoice were delivered and the invoice is authentic. The nuance of detection to bridge the gaps and tell the whole story is only possible with advanced technology.

To learn more about how Trustmi addresses all the problem points in the business payment cycle, get in touch today and we’ll show you our tech in action.