top of page

Businesses Warned as Cyber-Enabled Fraud Targets Routine Payment Processes

  • Writer: All Things Being ISOs
    All Things Being ISOs
  • 4 hours ago
  • 3 min read
Hands tapping a Visa card on a payment terminal at a checkout counter, with a shopping bag in the blurred background.

Businesses are being warned that cyber attacks are increasingly ending not with encrypted systems or stolen databases, but with fraudulent payments that can be extremely difficult to recover once money has been transferred.


Government figures estimate that around 43,000 UK businesses experienced fraud resulting from a cyber breach or attack during a recent 12-month period. Across the business population, an estimated 130,000 cyber-facilitated fraud events were recorded, highlighting the growing overlap between traditional cyber security threats and financial crime.


One of the most damaging forms of attack is business email compromise, in which criminals impersonate senior managers, suppliers, customers or other trusted contacts. Rather than attempting to break through complex technical defences, attackers manipulate legitimate business processes and persuade employees to transfer money or change payment details.


Fraudsters may compromise a genuine email account and monitor conversations for weeks before intervening at the point when a payment is expected. Others create convincing copies of email addresses or impersonate executives to request urgent transfers. In many cases, the fraudulent communication appears within an existing conversation, making it considerably harder for employees to identify.


UK fraud authorities describe business email compromise and payment diversion fraud as sophisticated crimes that use impersonation and compromised communications to redirect money or sensitive information. Warning signs can include unexpected changes to bank details, requests for secrecy and pressure to make payments quickly.


The growth of the problem is challenging traditional approaches to information security because many successful attacks do not depend on advanced malware or previously unknown vulnerabilities. Instead, criminals exploit weaknesses in payment approval, supplier verification and communication between finance teams and other parts of the business.


Security specialists say the risk is particularly high where a single employee can change supplier bank details and authorise a payment without independent verification. Organisations with large volumes of transactions, multiple suppliers or geographically dispersed finance teams may also find it more difficult to identify unusual requests.


The problem is becoming more complex as criminals gain access to increasingly convincing impersonation techniques. Poor spelling and obvious mistakes, once common warning signs of fraudulent emails, are becoming less reliable as attackers use artificial intelligence to create professional communications that closely imitate normal business language.


Government fraud strategy has also highlighted the connection between data breaches and subsequent fraud. Information stolen during earlier cyber attacks can be used to create convincing messages containing genuine names, relationships and business details, increasing the likelihood that employees will trust a fraudulent request.


Some businesses are responding by separating changes to payment information from the payment process itself. Supplier bank detail changes are increasingly being verified through an independently obtained telephone number or other trusted communication channel rather than by replying to the email that requested the change.


Other organisations are introducing dual approval for significant transfers, tighter controls over email accounts and stronger monitoring for suspicious sign-ins. Finance teams are also being included more frequently in cyber security training, reflecting the fact that payment processes have become a major target for attackers.


The issue is attracting greater attention because the consequences can be immediate. Unlike many data breaches, where the full financial impact may take months to establish, a successful payment diversion attack can remove a substantial sum from a business within minutes.


For organisations operating under information-security frameworks such as ISO 27001, the growing threat demonstrates how cyber risk increasingly extends beyond the IT department. Protecting information remains important, but businesses must also consider how compromised information and communications can be used to manipulate critical commercial processes.


As cybercrime and fraud become increasingly interconnected, security specialists expect greater scrutiny of the controls surrounding payment approvals, supplier information and business communications. Organisations that treat cyber security and financial controls as separate issues may find that attackers are already exploiting the gap between them.


A message from our sponsors, The Ideas Distillery: 


If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.


Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

bottom of page