Cyber-Enabled Fraud Scenarios in Business Processes

This document outlines common cyber-enabled fraud scenarios for each major business process in a generic organization, covering vectors like general email phishing, business email compromise (BEC), invoice fraud, and payroll bank account changes.

Procurement and Accounts Payable

This process involves sourcing goods/services, approving purchases, and paying suppliers.

General Email Phishing: Fraudsters send spoofed emails mimicking vendors, tricking employees into revealing procurement details or approving fake bids, leading to overpriced or nonexistent contracts.
Business Email Compromise (BEC): Hackers compromise a supplier's email to alter contract terms mid-negotiation, inserting clauses that favor fraudulent payments or diverting funds to attacker-controlled accounts.
Invoice Fraud: Cybercriminals impersonate suppliers via email, submitting forged digital invoices with manipulated bank details (e.g., via PDF alterations or fake portals), causing payments to mule accounts. Common in automated AP systems where invoices are uploaded without verification.
Payroll Bank Account Changes: Not directly applicable here, but overlaps if procurement staff salaries are targeted via HR spoofing.

Finance and Treasury

This covers budgeting, cash management, investments, and fund transfers.

General Email Phishing: Emails posing as auditors or regulators request sensitive financial data, enabling identity theft for unauthorized wire transfers.
Business Email Compromise (BEC): Attackers hijack executive emails (e.g., CFO) to authorize fraudulent wire transfers to offshore accounts, often timed with legitimate deals.
Invoice Fraud: Fake treasury reports or investment scams via email lure finance teams into approving bogus reimbursements or deposits.
Payroll Bank Account Changes: Fraudulent emails from "employees" request changes to investment-linked accounts, diverting bonuses or expense reimbursements.

Human Resources and Payroll

This includes hiring, employee management, compensation, and benefits administration.

General Email Phishing: Spoofed HR emails collect W-2 forms or personal data, leading to tax fraud or identity theft affecting payroll deductions.
Business Email Compromise (BEC): Compromised HR email approves fake new hires, adding ghost employees to payroll systems.
Invoice Fraud: Fraudsters pose as benefits providers, submitting altered invoices for health insurance or pensions, siphoning funds.
Payroll Bank Account Changes: Employees receive phishing emails mimicking HR portals, prompting bank detail updates; or BEC attacks where attackers impersonate employees to change direct deposit info, redirecting salaries to fraudster accounts. Common via spoofed forms or malware-infected attachments.

Sales and Accounts Receivable

This process manages customer orders, invoicing clients, and collecting payments.

General Email Phishing: Fake customer inquiries via email extract pricing data, enabling competitive espionage or fraudulent orders.
Business Email Compromise (BEC): Hackers compromise customer emails to request invoice adjustments, rerouting payments to attacker banks.
Invoice Fraud: Cyber-enabled alteration of customer invoices (e.g., via email attachments) to change payment amounts or details, or issuing fake credit notes to refund to fraud accounts.
Payroll Bank Account Changes: Limited applicability, but sales commissions could be diverted via similar BEC tactics impersonating reps.

Supply Chain and Logistics

Involves inventory management, vendor coordination, and distribution.

General Email Phishing: Emails mimicking logistics partners request tracking updates, installing ransomware that disrupts supply chains.
Business Email Compromise (BEC): Compromised vendor emails demand urgent "shipping fee" payments to fake accounts.
Invoice Fraud: Forged shipping invoices sent via email, inflating costs or adding phantom charges for undelivered goods.
Payroll Bank Account Changes: Drivers or warehouse staff targeted with fake HR emails to update bank details for overtime pay.

IT and Data Management

This includes system maintenance, data storage, and cybersecurity oversight.

General Email Phishing: Standard credential-harvesting emails lead to broader network breaches, enabling fraud across processes.
Business Email Compromise (BEC): IT admin emails hijacked to approve fake software purchases or cloud service invoices.
Invoice Fraud: Fake IT vendor invoices for nonexistent cybersecurity tools or licenses.
Payroll Bank Account Changes: Internal IT staff phished to facilitate wider payroll scams.

Customer Service and Support

Handles client interactions, complaints, and refunds.

General Email Phishing: Spoofed support emails trick customers into providing payment info, indirectly leading to internal data leaks.
Business Email Compromise (BEC): Compromised customer accounts request refund reroutes.
Invoice Fraud: Fraudulent refund requests via email, crediting attacker cards.
Payroll Bank Account Changes: Support agents targeted to change their own details, or customer data used for broader fraud.

Executive and Governance

Involves strategic decision-making, compliance, and board communications.

General Email Phishing: CEO impersonation emails request sensitive governance data.
Business Email Compromise (BEC): High-level exec email takeover authorizes mergers or investments funneling funds fraudulently.
Invoice Fraud: Fake legal or compliance invoices for advisory services.
Payroll Bank Account Changes: Executive assistants tricked into updating C-suite payroll details.

Process	Common Cyber Fraud Vectors	Mitigation Notes
Procurement/AP	BEC for contract alterations, fake invoices	Multi-factor invoice verification, vendor portals
Finance/Treasury	Wire fraud via exec spoofing	Callback confirmations for transfers
HR/Payroll	Bank change requests via phishing	Secure HRIS with MFA, employee education
Sales/AR	Payment rerouting	Customer payment confirmation protocols
Supply Chain	Shipping invoice scams	Blockchain tracking for authenticity

Cyber-Enabled Fraud Scenarios in Major Business Processes