One of the most established cybercrime methods is business email compromise (BEC). BEC can involve a variety of tactics aimed at manipulating or rerouting invoices.

For example, a cybercriminal might compromise a vendor’s email account, gaining access to invoices, and then change important bank information. The AP department may then unwittingly direct payment to the criminal's account. Or thieves might gain access to an executive’s email account, mimic that person’s communication style, and use their account to submit fake invoices without setting off alerts.

Criminals often take time to study their targets to make their BEC attempts more convincing. Once a criminal has compromised a company email account, he or she may study how the owner communicates and what topics arise often in their exchanges with vendors or customers. Such tactics, also known as social engineering, can make fake communications seem more normal and unexceptional — and therefore easier for AP personnel to miss.

Although functions within a company’s purchasing and AP systems are typically distinct, they need to be connected at certain points to facilitate data transfer and support end-to-end workflows. For instance, invoicing systems may be connected to accounting software and payment processors. Enterprise resource planning (ERP) systems may be linked to treasury platforms. Each node in this digital network provides cybercriminals with opportunities to breach the security perimeter and hack into multiple systems.

The more connected a program is, the more data it will collect from other programs or vendors. Personally identifiable information is another attractive target for cybercrime, since it can be used to create false identities or harvested for use in other criminal activities.

Third parties in a company’s supply chain — or even fourth parties, who are not directly linked to the AP system — compound threats to connection points. Even if an organization’s AP security is robust, criminals may exploit weaknesses in primary or secondary connections to gain access to the organization through a trusted channel.

AP functionality is becoming more reliant on distributed cloud systems. The security of cloud servers is generally robust but not infallible. Companies need to take steps to make sure their AP systems are safely connecting to the cloud and ensure employees are not introducing vulnerabilities through improper cloud control configurations.

AP personnel, like other critical workers, can perform their tasks from almost anywhere. But many lack safety controls on their remote or personal devices — or even a secure internet connection. In many companies, decision-makers have no clear view of the security protocols in their employees’ homes.

While every organization will have distinct needs based on its system specifics, company culture and work processes, here are some guidelines for maintaining security in these critical functions:

• Implement basic controls. AP system processes can benefit from multifactor authentication, strong access management tools and data storage procedures. Companies should also consider dual control for administrative duties and payment approvals to reduce the risk of unauthorized changes or fraudulent transactions.
• Review all processes. Companies should review their protocols for verifying invoices and payment requests, paying particular attention to requested changes to account numbers, even if those requests come from the accounts of established vendors. Requests for payment account changes should be independently verified outside of prior communications with a trusted vendor contact. Adding a deliberate “pause” before approving changes can prevent costly errors.
• Deploy data analytics. Automated scans can help AP systems detect anomalous payments and send alerts when payment thresholds are crossed. Machine learning software can detect discrepancies over time and flag questionable transactions.
• Protect data outside the security perimeter. As more employees work outside the company firewall, businesses should take extra steps to guard their data. That means making sure employees use safe password practices including not sharing passwords, updating work logins and never using public, unsecured networks.
• Continually review tools for detecting unusual activity. Cybercriminals may spend months within one system after breaching it, siphoning off small amounts from AP accounts over time to avoid detection. The more complex a company’s AP system is, the greater the need for investing in strong network monitoring tools and continually reviewing them.
• Manage third- and fourth-party risk. Companies can embed quality controls, cybersecurity best practices and compliance standards in vendor contracts, and require regular reviews of vendors’ security processes. AP employees should regularly review and update the vendor management list. Companies should also maintain communication protocols to alert vendors as soon as a security issue arises.
• Enlist employees. Securing payments depends on educated employees who prioritize cybersecurity and embrace their roles in overall company defense. It is incumbent on relevant AP employees — not just security experts — to understand how a company’s devices, networks, and technology connect and how those linkages could be vulnerable to a security breach.

Companies should provide formal training to key employees, testing them with company-generated phishing emails and making it clear when responses should escalate and how management and partner organizations should be alerted. 

In addition, members of the AP team should be included in any discussions about security issues. Whenever possible, it's also important to keep the controls of AP systems only in the hands of those who need them.

As AP systems become more digitized and interconnected, safeguarding them is not optional — it is a strategic imperative. Organizations that invest in strong controls, continuous monitoring, and employee education will be best positioned to prevent fraud and protect their reputation.