We know that companies relying on mailed or faxed documents when selling to customers are still living in a manual world. However, even accepting scanned documents by email isn't true digitization. Many organizations have only partially digitized their buying and lending processes – and that opens them up to significant risk of fraud and other attacks.
Digitization projects often stall before they're complete. Deloitte has warned that while 85% of CEOs accelerated digital transformation initiatives during the pandemic, most can't articulate their progress beyond the fact that they made an investment.
While consulting firms espouse advanced digitization concepts like AI, data suggests that many companies are still struggling to cope with basic tasks. For example, two-thirds of companies are still grappling with document storage.
This disorganized approach to digitization creates potential security risks in a process already fraught with cybersecurity challenges. More than four in five respondents to a Ponemon Research survey believed that they had suffered a data breach as a result of digital transformation.
Failing to fully digitize a process risks fragmenting it, leaving steps that are still reliant on manual input and even the use of paper-based documents. It creates weak spots in the process structure that attackers can exploit for their illicit ends. The assets involved in the buying process are sensitive, typically involving money and even personal data. However it could also put other assets at risk through the introduction of ransomware or other malware.
Some of the cybersecurity risks involved in partial digitization stem from simple oversight. Whenever a human is in the loop, errors can creep in. A combination of distraction, tiredness, and overwork can lead to costly mistakes.
Some incidents are often down to malice rather than mere mistake. Fraudsters frequently use social engineering techniques to dupe business victims, convincing them to send payments to illicit bank accounts.
This type of fraud, collectively known as business email compromise (BEC), often comes in the form of fake invoices sent to vendors. An invoice delivered in paper or email form without going through automated verification processes might slip through manual checks, causing the victim company to send money to criminals.
A variation on this theme is mandate fraud. Here, the criminal impersonates a legitimate vendor and persuades the payee to change their bank details on file to a fraudulent account. Then the fraudster collects payments that should have gone to the original payee.
These attacks started simply but have become more sophisticated over time as victims have awoken to the problem. BEC fraud continues to be a major problem. The FBI estimates that victims have lost $43bn to these attacks between October 2016 and December 2021.
BEC can hit consumers too. Criminals have targeted high-value industries such as real estate and financial services to scam individuals. In Atlanta, one man was jailed after collecting more than $247,000 in fraudulent funds from home buyers. He called his victims and impersonated their realtors, asking them to wire funds to fraudulent business accounts. An automated process on the realtor's side, along with an educational session warning the home buyer against such attacks, would have helped avert disaster.
Forgery is another form of fraud that can subvert partially digitized buying processes. Modern technology makes it far easier for people to forge documents today, creating convincing IDs and other assets that might fool individuals that are tasked with checking them manually. What would have taken a scalpel, glue, carefully chosen paper, and a typewriter back in the day now can be accomplished on a smartphone. There are even online criminal services that will produce these documents for attacks.
Another example of criminal innovation is the use of synthetic IDs. These combinations of fake and real personal information are difficult to spot because there's often no individual victim to raise the alarm. Compounding the problem is the fact that only half of synthetic ID fraudsters apply for fraud using digital channels.
All of these fraudulent attacks can be launched using digital documents. Fake invoices and invoice mandate attacks can arrive via email, as can forged or synthetic identity details. This highlights a key takeaway: accepting digital documents via email isn't enough to truly digitize a buying process. A human employee can be just as easily fooled by an emailed digital document as by a paper-based one.
A fully digitized system involves extra measures. One of these is control over the specific channels used to submit information in the buying process. This prevents the phishing emails and telephone calls that criminals use to perpetrate these frauds. It enables companies to impose appropriate access controls for document submissions.
This measure is part of a broader approach that is crucial to the digitization process: automation. Any part of the buying process relying entirely on human input with no automated checks will be more vulnerable to attack. Automating things from end-to-end, potentially using third-party notarization and identity verification services, is a crucial part of the digitization journey.
Companies that take these final steps to digitization stand to make big gains. Digital trust is a top requirement for consumers as data breaches keep hitting the headlines. PwC found protection of personal data tops consumers' lists of trust criteria, with 62% citing it as a key factor. That's a statistic that all CEOs should note, given that half of all consumers base their purchasing behavior on how much they trust a vendor.
Complete end-to-end digitization will do more than reduce your cybersecurity risk – it will build better relationships with your customers. That helps to reduce bottom-line losses from fraud while also helping to bolster revenues.