Protecting your digital procurement systems from phishing attacks

Digital procurement systems transform traditional purchasing into streamlined, automated workflows. They allow organisations to track and manage purchasing, supplier relationships, and spending electronically. Typical platforms provide a range of capabilities such as:

• Automated approval workflows that route purchases to the right people.
• Supplier portals for collaboration with vendors.
• Integrated payment processing that eliminates manual transfers.

The benefits of these systems can include cost savings, higher efficiency, and greater transparency. However, their effectiveness makes them a target for cybercriminals.

Digital procurements phishing

Digital procurement systems store a wealth of sensitive information about your organisation and the people you do business with. For example:

• Vendor names, addresses, and banking details.
• Contracts and legal agreements.
• Details of your organisation’s purchase approval chains and hierarchies.

Attackers can use this information for phishing, spear phishing, or payment fraud.

For example, in 2023, cybercriminals stole $2.3 million from the city of Peterborough, New Hampshire. Using highly realistic scam emails, they tricked the city’s administration’s finance department into sending routine payments to their own accounts. The attackers had researched the department’s payment processes carefully, exploiting the public sector’s financial transparency.

For your organisation, the impacts of an attack can be severe, including:

• Financial losses from fraudulent payments.
• Data breaches that expose vendor information.
• Supply chain disruptions affecting your productivity.
• Regulatory penalties for compliance failures.
• Reputational damage affecting supplier trust.
• Loss of time and resources in issue investigations and remediation efforts, which can take weeks or even months.

Procurement and security: Best practices to protect your procurement systems

To safeguard your procurement operations, implement the following measures:

• Regular security awareness training for your teams. Ensure everyone in your organisation is aware of the dangers from phishing and knows how to sport and report suspicious messages.
• Multi-factor authentication (MFA) for all users, particularly those with approval authority, to add an extra layer of account protection.
• Advanced email filtering that can detect suspicious messages and spoofed domains.
• Vendor verification protocols so that requests to update payment details must always be confirmed by phone before they’re actioned. Don’t rely on email alone.
• Additional protection strategies such as payment limits for large transfers, dedicated channels for payment change requests, maintaining accurate vendor contact lists, and deploying honeypot accounts to detect unauthorised access attempts.
• Quarterly audits and access reviews focused on procurement workflows, user permissions, and segregation of duties to identify vulnerabilities and enforce strict control policies.
• Incident response planning so you can take rapid, coordinated action if an incident occurs.
• A cyber threat intelligence (CTI) and credential monitoring solution. CTI solutions such as Cybercheck help you to stay safe by continuously monitoring for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. If cybercriminals are trading information about you or your organisation, we immediately alert you. That means you can take proactive steps like changing passwords, blocking cards, and shutting out the attackers before they make you their next victim.