Business IT departments are plenty busy without having to deal with the potential fallout from cyber attacks. But the threat that online scammers pose to businesses has never been greater -- or more costly.
While businesses have to be vigilant for many forms of cyber fraud, few are more pervasive and difficult to guard against than phishing attacks. Whether it's counterfeit emails that are easy to mistake as genuine, official-looking SMS messages, or computer-generated voicemails, phishing attacks have become the bane of IT managers everywhere.
Phishing attacks are the preferred strategy of scammers looking to target companies, especially those with a large network of email users. Businesses reported over 500 million phishing attempts in 2022. That's a more than twofold increase from the previous year.
Scammers have no limit on how many bogus emails or automated text messages they can blast out in a day. They can afford to miss. IT departments take a big risk if they fail to prevent even a single phishing attack.
Consider, while the average cost of a business data breach climbed to $4.35 million in 2022, the cost of email phishing scams can easily be far higher. A 2021 study by the Ponemon Institute found that such attacks cost large organizations almost $15 million annually, or more than $1,500 per employee.
While every business division and employee may be vulnerable to a phishing scam, the accounts payable department – and its executives and mid-level managers – has emerged as an enticing target.
This makes sense, as AP operations often rely on email for vendor invoicing and communication, and the department is empowered to field payment requests from suppliers and others.
The accounts payable department is the most susceptible to cybercriminals' attempts at "Business Email Compromise," or BEC, fraud. Some 58% of respondents on a survey about BEC said their AP department was targeted by email scams. The threat of phishing fraud is heightened among AP teams because they are responsible for paying suppliers and vendors.
One scheme might involve a scammer trying to gain access to a company’s bank accounts through a phishing attack by mimicking key vendors and sending fake invoices. Once opened, the emails give the scammers access to the business’s system. Another common scam arrives as an email that appears to come from a trustworthy company or individual and often involves a request for payment.
A single phishing attack targeting the AP department can potentially give hackers access to deploy malicious software inside the company's networks, enabling the scammers to drain or even wipe out a company's financial accounts in a flash.
Awareness, training and email protection software with robust authentication are key to minimize phishing attack risks company wide, but investing more time and resources to protect your AP department should be a priority.
The vast majority of phishing attempts begin with a fraudulent email. They can target anyone in a company, but it pays to focus particularly on securing the accounts of execs. Phishing attacks that targeted emails of high-level executives cost businesses $43.31 billion globally between 2016 and 2021, according to the FBI.
The fact is busy executives are among the most vulnerable to phishing attacks and often can't tell when an email is fake. Scammers like to target the C-Suite because when they successfully spoof executive emails or login details they can often access a trove of valuable company information. This can range from financial accounts to sensitive employee details from W-2 forms.
Executives who may have some of their personal history on the company website, posted in social media or accessible from past press releases are especially vulnerable to “spear” phishing attacks.
These involve a scammer using available personal information on the executive to make fake emails look like they’re from a trustworthy source. The goal is to get the executive to lower his guard and click on a link in the email or download an attachment that grants the scammer access to the target’s computer.
Managers outside of the top executive ranks are also targeted often by scammers seeking to take advantage of the fact that many mid-level managers often deal with a deluge of email and may not immediately spot fakes. These threats are heightened when it comes to managers who are part of AP teams, given that they are often in position to sign off on payments and other permissions.
Mid-level AP department managers are often targeted with business email attacks that come disguised as an email sent from the CEO or other high-ranking executive. These attacks typically involve asking the manager to disclose sensitive company or client data or to wire funds, for example to finalize a deal with a new client.
Scammers will also target AP team managers with an email pretending to come from a trusted vendor and asking for immediate payment due to a purported past-due invoice.
An AP automation platform can help mitigate the risks that phishing attacks and similar scams will be successful. Leading AP automation solutions feature tools that streamline the vendor invoice processing and payment process. Users on both sides of the transaction can verify the status of invoices at any time, so that it’s easy to confirm whether a payment request is legitimate or not.
It also helps to ensure all executives and AP department staff use multi-factor authentication for all financial transfers. And employees should always verify all email requests for payment or sensitive information over a separate means of communication.
No system is 100% secure from hackers, but businesses that use AP automation solutions to increase process controls and set more rigid business standards are better equipped to catch and address instances of fraud upfront.
IT teams should regularly reassess their risk management and prevention efforts. This should go beyond email and other internal communication security to include secure document storage. Sensitive documents that are kept in hard drives can be easily accessed by scammers who gain access to your computer system via a successful phishing attack.
The relentless barrage of phishing attacks on businesses these days requires a strategic approach that ensures your company is defending against this potentially costly threat.
Protecting your AP department is a great place to start. Using an AP automation platform will help by centralizing AP tasks and employee communication, effectively placing an extra firewall between AP teams and scammers.
DocuPhase's AP automation solution can guard against phishing scams by reducing emails with its built-in workflow and collaboration tools. It also fully supports cloud integration.
Get in touch to learn how DocuPhase can strengthen the security of your workplace while saving you time by improving your business process efficiency.