Trust but verify - Identify your cyber security business risks
SG1 Cyber Security
How we protected a building firm against fraudulent invoices​
​
SG1 Cyber Security recently conducted a cybersecurity review for a building firm that deals with numerous invoices from a wide range of suppliers. Like many firms in the construction industry, they rely heavily on trusted suppliers for timely delivery of materials and services, making smooth invoicing a key part of their day-to-day operations. However, during the review, a significant vulnerability in their invoicing process was uncovered—one that posed a serious risk to the firm's financial security.
​
The review revealed that the building firm was at risk of a supply chain attack, where a supplier’s system could be compromised, and a fraudulent invoice could be sent to the building firm. In such a scenario, the compromised supplier might unknowingly send an invoice with altered bank account details. Because the building firm trusts and expects the invoice, there is a high likelihood they would pay the invoice without question, resulting in financial loss due to the funds being sent to a fraudulent account.
​
This kind of attack—where a trusted entity within the supply chain is compromised—can have devastating consequences. Not only could the building firm lose significant amounts of money, but its operational workflow could be severely disrupted while they try to trace and recover the funds. The impact on relationships with suppliers, and the overall trust in the invoicing process, would be difficult to repair.
​
To address this risk, SG1 Cyber Security provided a detailed report that outlined the vulnerabilities and recommended security controls to prevent fraudulent invoices. These controls included implementing verification procedures for invoices, such as multi-step verification for bank account changes, and adopting automated tools to detect anomalies in supplier information. By putting these measures in place, the building firm can significantly reduce the risk of falling victim to a supply chain attack, ensuring that supplier payments are secure and trust within the supply chain is maintained.
