How To Create a Hostile Environment for AI Fraudsters in the Supply Chain

By Vishal Grover, CIO at apexanalytix

The rapid rate of innovation in artificial intelligence is substantially aiding business growth and success, but it’s also opening organizations up to greater and harder-to-identify risks. You’re likely familiar with the meteoric rise of ChatGPT over the last 18 months, but how much do you know about its black-hat alternative, WormGPT? While the average person is concerned about the increased potential for plagiarism with ChatGPT, security professionals should be sounding internal alarm bells about the lack of safeguards in WormGPT that make cybercrime significantly easier. For example, the program could help a phisher draft a fabricated email to employees requesting an urgent bank account change that looks like it’s coming from the company’s CEO.

Let’s make this situation a little more concrete, though, shall we? The FBI reported that cybercrime losses increased by 66% from 2021 to 2022 – and that was before the advent of ChatGPT in November of 2022 and the substantial boom of other generative AI-powered technologies since then. The greatest contributing factor to the increase in losses came from crimes that leveraged business email compromises (BECs) like the example above. Even more striking is that 62% of cyber breaches were attacks on the supply chain and suppliers’ IT systems, while 50% of supply chain disruptions resulted from such attacks. 

Related:We’re Worried About Deepfake Voice Scams. How Do We Protect Employees?

So, knowing it’s a primary target for fraudsters, what can security professionals do to prevent these advanced AI-powered attacks from hitting their company’s supply chain? Modernizing bank change verifications, removing manual processes, and leveraging new AI tools are all keys to creating a hostile enough environment that keeps bad actors at bay.

1. Leave outdated bank change verification methods behind

Far too many organizations continue to rely on verification processes that had already started to feel outdated by the turn of the century. Now, in the age of GenAI, they’re borderline archaic. You may still run into someone who uses a penny test for verification processes, but all that does is confirm who owns a bank account without proving you’re sending payments to the right person. Confirming via documents or contracts is no better. As stated above, modern image manipulation and deepfake tools make it incredibly easy to falsify documentation. 

Calling the supplier or internal sponsor directly is always an option, but in this case, you must ensure that your contact information is complete and updated. Question anyone who says there was a recent contact change to verify they’re not a fraudster attempting to take over a supplier’s account. It would also be wise to, at a minimum, utilize a more manual form of “two-factor verification” in this situation by getting confirmation from more than one contact at the supplier before accepting a banking change.

Related:Phishing Attacks, Deepfakes Top AI-Powered Threats

The cost of cybercrime is projected to hit $10.5 trillion by 2025, so working to reduce the risk of human error is vital to loss prevention. The key is ensuring you can prevent fraud before payments are made rather than after they’ve been transferred. Security professionals should modernize their organizations’ bank change verifications with real-time validation and automated fraud prevention, eliminating the need for manual tasks like penny tests, emailing the supplier, or calling an internal sponsor prone to human error.

2. Utilize a security-centric supplier portal

This starts with onboarding or creating your own portal and requiring that all changes be done through it. When assessing which portal to use, ask your bank what access controls they can leverage. Any portal worth its salt should have an equal level of security controls. A few sample controls include requiring multi-factor verification, biometrics, and IP address tracking. 

Related:Master AI Cybersecurity: Protect and Enhance Your Network

The portal should also have AI tracking tools that assess vendor behaviors and flag suspicious actions to identify fraudulent activity more effectively. Security teams must monitor access and banking activity on an ongoing basis. Much like how your bank prompts security checks when you try to log in on a new device or use your credit card in a different state, your vendor portal should track your supplier’s behavior and look for anything unusual. If incoming activity is from an unidentified device, taking place at an unusual hour, or from an unknown address, then chances are that the change request is fraudulent.

Finally, it is important to establish automated validation processes for supplier invoices and payments. The system should be able to leverage AI to check all transactions against previously authenticated records to ensure money goes to the actual vendor or supplier. Just as cybercriminals are finding ways to automate their attacks, businesses need to work to stay one step ahead with their automation.

3. Confirm bank account ownership with the actual bank

In the U.S., banks are legally obligated to confirm account ownership. The downside is that financial institutions are often hesitant to verify this information with a simple phone call. Fortunately, there are tools to discover if an account is used to pay other suppliers, how long it has been in use, the frequency of its use, and so on. Similarly, it's possible to fully automate the verification process with ownership validation services. Organizations with international vendors may find this more challenging as the processes and laws differ across the globe. However, they should conduct equivalent effort and research to verify bank ownership for a supplier before sending funds all the same.

At the end of the day, security teams are in an AI arms race with fraudsters as deepfakes, synthetic voice tools, GenAI technologies, and image manipulators become more advanced and more accessible to fraudsters. Supply chain risks have the potential to upend business operations. The more security professionals can turn manual supplier management processes into automated ones, the better they can avoid contributing to the ever-growing pot of cybercrime losses.

About the Author

As the Chief Information Officer, Vishal Grover is responsible for establishing and maintaining a company-wide information security and risk management program to ensure that the data assets of apexanalytix and our clients are protected.

Vishal has over 20 years of experience in information technology and has had numerous roles across multiple disciplines such as application development, database management, IT infrastructure ,and information security. His extensive background includes implementing programs for evolving security and compliance requirements (SSAE18, PCI, secure SDLC, GDPR, disaster recovery) to ensure the highest level of security, performance, and availability for the largest companies in the world.

Vishal graduated from Delhi University with a degree in Commerce. He also holds an advanced IT diploma from NIIT along with SUN Certification.