Fraud is becoming more sophisticated, targeting companies with increased precision, especially in two critical areas: Accounts Payable (AP) and Payment Processes. Both jobs with vendor-facing roles, these employees are prime targets due to their access to funds and ability to approve or modify payments.
A couple of factors exacerbate the issue. First, these businesses continue to rely on security tools and financial controls that are not only siloed but lack the contextual data needed to detect and prevent these sophisticated attacks, which, according to the FBI, cost organizations $1.5 million each on average (source: FBI).
Next, attackers have upped their tactics in a few key ways:
- They have begun infiltrating businesses from multiple angles, including through vendor accounts, where they leverage layers far beyond the organization’s day-to-day visibility (those people they interact with regularly).
- They are creating more sophisticated capabilities for evading security and setting off new risk thresholds, which include the greatest threat to payments today: social engineering.
Cybersecurity’s Biggest Threat
Social engineering, which includes deepfakes, is the most prevalent form of attack. Research found that 90% of cyberattacks in 2024 involved social engineering tactics. And it’s not just about frequency. Through the power of AI, these attacks are becoming increasingly more costly. In its Digital Fraud: The Case for Change report, Deloitte states that the “rapid expansion of AI and GenAI tools provides the resources for bad actors to scale their attacks, both on the financial institutions and directly to their customers.” The report says that “the proliferation of GenAI tools could enable fraud losses to reach US$40 billion in the United States by 2027, up from US$12.3 billion in 2023.”
The Lifecycle of Fraud: How Social Engineering Exploits Each Stage
When it comes to fighting back, a key element is to understand the many ways attacks are coming at your business. Here are examples.
Deepfake Impersonations: Fraudsters frequently leverage deepfake impersonations to craft emails, videos, and other communication that convincingly appear to be from senior executives of Financial Times Stock Exchange (FTSE) companies. The goal of these efforts is to convince the employee to transfer substantial funds. While these attacks can impersonate people on all levels, selecting more senior executives is far more effective since employees naturally trust leadership and are often inclined to bypass standard review protocols for what looks like significant matters. The FBI’s Internet Crime Complaint Center (IC3) reported $2.95 billion in losses from BEC scams in 2023.
To turn up the heat on these attacks, fraudsters often add a layer of pressure. They might claim a payment is overdue or tied to a critical deadline, such as finalizing an acquisition. In extreme cases, they may threaten disciplinary action or other penalties to push employees into bypassing established protocols. This tactic preys on the human desire to avoid conflict or negative repercussions, especially when the request comes from a high-ranking authority.
AI-Generated Phishing: Attackers leverage AI to gather and analyze vast data about their targets. This includes information from social media profiles, public records, and leaked data from breaches. As a result, cybercriminals can understand the target’s behavior, preferences, and potential vulnerabilities. From there, they can craft highly personalized and convincing phishing emails that not only mirror the person’s writing style but leverage other details, such as a recent event, making them more effective and harder to detect. And these aren’t one-off campaigns. Thousands of these messages can be sent out simultaneously, targeting an extensive audience.
Fake Invoices in Payment Initiation: The payment lifecycle begins with the initiation when a vendor submits an invoice for goods or services rendered. As mentioned earlier, larger businesses have small teams processing large piles of invoices every day. For many criminals, the initiation phase is the ideal time to launch a social engineering attack using vendor impersonation schemes.
Here, fraudsters, posing as legitimate vendors, use fake invoices to initiate payments. Sometimes, they intercept genuine invoices, altering minor details such as bank account numbers or payment amounts, and resubmit them for processing. Thanks to small teams that are stretched thin, meticulous scrutiny is not an option, which is precisely why fraudulent invoices can slip through undetected, leading to significant financial losses.
Account Takeovers and Payment System Manipulation: At the processing stage, fraudsters leverage stolen credentials obtained through phishing attacks or data breaches to gain unauthorized access to payment systems. Once inside, they impersonate legitimate users, modifying payment instructions or creating fraudulent transactions for work that was never done. In automated systems like Automated Clearing House (ACH) transfers, attackers may manipulate payment templates or schedules to redirect funds into their accounts. These subtle changes can often go unnoticed until the damage is done.
Strengthening Defenses: Combating Social Engineering at Every Stage
For businesses fighting back, here’s the first step: Stop viewing social engineering solely as an email security threat. These attacks extend far beyond email, infiltrating the entire payment process and targeting systems, workflows, and data across the organization.
With this understanding, it’s time to implement a multi-layered defense strategy that addresses vulnerabilities across the payment lifecycle to protect against social engineering and other fraudulent tactics. Some key elements of this approach include:
- Comprehensive Contextual Insight: Seamlessly integrating email, payment, and vendor behavior data so that your team can detect irregular patterns across the entire process.
- Proactive Monitoring of High-Risk Roles: While everyone at a business can be a target, it’s vital that systems are actively monitoring and securing those roles with access to funds, such as finance, executives, and vendor-facing employees.
- Adaptable AI-Driven Detection: Just as fraudsters are turning to AI, so should you. Start leveraging advanced AI tools to analyze patterns, detect anomalies, and recognize synthetic threats like deepfakes or real-time voice manipulation. These tools are not static. They continuously learn from new attack methods, enabling real-time identification and prevention of emerging threats.
While forms of social engineering have existed for some time, the latest variety of attacks demonstrates an evolution in techniques that are unlike what came before. These methods will continue to evolve and leverage psychological manipulation to exploit weaknesses in the payment lifecycle. From fake invoices and account takeovers to executive impersonation and high-pressure tactics, these schemes are designed to capitalize on human error and trust to get their hands on your company’s money.
But companies are not without recourse. Fighting back begins with understanding the vulnerabilities at each stage of the payments lifecycle and implementing a comprehensive defense strategy that includes key elements, such as comprehensive contextual insight, proactive monitoring of high-risk roles, and adaptable AI-driven detection. With the right approaches and innovative solutions, organizations can protect themselves from these sophisticated threats and whatever comes in the future.
__
Shai Gabay Bio
A visionary entrepreneur, Shai Gabay has always held a deep passion for cybersecurity and fintech, and over the course of his career, he has developed his expertise in both areas. Currently, Shai is a co-founder and the CEO of Trustmi, a leading end-to-end payment security platform founded in Israel in 2021. Prior to Trustmi, he was General Manager at Opera, VP of Product and Services at Cynet, CIO at Cyberbit and the CISO at Discount Bank.
Shai holds a Bachelor’s Degree from Shenkar College in software engineering, and also a Master’s degree in Business Administration and Management from Tel Aviv University. Additionally, Shai was selected for the prestigious 1-year full scholarship executive excellence program at the Hoffman Kofman Foundation, a program tailored to outstanding alumni of IDF’s Elite Units. Through this program, he had the opportunity to study with prominent co-founders and leaders at renowned global tech companies and professors at elite universities.
