The B2B Payments Fraud Threat Of Internal Employees

It was a difficult week for businesses getting hit with cyberattacks, with foreign currency company Travelex among the most high-profile of recent cases. The currency exchange company continues in the grips of a ransomware attack that has crippled its operations, as well as the foreign currency operations of its corporate clients, including HSBC and Barclays.

As Travelex works to regain control of its systems, restore operations and mitigate any future fallout from the incident, the cyberattack is yet another reminder that one company’s cyber vulnerabilities can have far-reaching effects throughout the B2B supply chain.

This week, however, a rundown of the latest B2B payment scams finds that it’s not only external bad actors, but entities’ own internal personnel that is often the cause of fraudulent activity. PYMNTS’ examination of recent cases finds employees falsifying invoices, doctoring checks and faking out companies to steal money from employers.

Ten percent of business email domains are protected from spoofing, according to recent Security Boulevard reports. That means the vast majority of businesses are at risk for an array of cybersecurity incidents, including the Business Email Compromise (BEC), which often sees fraudsters spoofing legitimate email addresses from vendors, and sending seemingly real requests for payment. The risk can also lead to fraudsters spoofing the email addresses of C-Suite executives to initiate payments to a fraudster’s account.

Approximately $185,000 worth of payroll fraud hit a Minnesota company, with local reports noting that a bookkeeper allegedly manipulated payroll data to overpay her salary. The scam reportedly lasted about five years, and the former bookkeeper has now been charged with felony theft.

About $1 million was swindled from the Colorado town of Eerie, with the FBI now investigating the matter. Gov Info Security said a reported cybersecurity incident involved a scammer using the town’s website to request changes to bank account information for a local construction supplier, with directions to receive payment via wire transfer instead of check. That requested change was not entirely verified by town personnel, reports said, and the wire transfer information was later confirmed to not be related to the real supplier. The case coincided with another cybersecurity incident at a Colorado water supplier, in which fraudsters infiltrated the utility platform of Aurora Water to steal customer information.

According to local Kentucky Today reports, $1.5 million was embezzled from a Kentucky school district, pointing to a former finance director, now the subject of an FBI probe. Reports said the former finance director allegedly stole $1.5 million since at least 2011 by generating fake invoices from legitimate vendors, and using company checks that were reportedly doctored to be deposited into her personal account. According to the publication, the school district’s annual audit failed to identify the scheme because only a section of all transactions are reviewed.

This week, cybersecurity publication Naked Security reported that $6 million was stolen from a New York company via invoice fraud. Court filings said a former IT executive established a fake shell company that posed as a legitimate supplier of his employer. He was allegedly able to generate invoices addressed to himself, and reportedly used company cash to pay the false supplier, dubbed Interactive Systems. As reports noted, among the suspicious behavior is the accusation that several invoices were submitted as Microsoft Word documents, with metadata pointing to the IT employee generating the documents while at the company being billed.