Background
ToysMakers SARL was a mid-sized toy manufacturer supplying multiple European markets. Vendor invoice management was outsourced to InvoicesForVendorsSoftwareAndServices Pvt Ltd. Vendors submitted invoices through the service provider's platform, and ToysMakers approved payments using an integrated software tool.
The Vendor Complaint
RawMaterialSupplier Pvt Ltd contacted ToysMakers claiming invoices from the past two months had not been paid. The finance team found invoices were present, approvals were recorded, and transactions were marked as successfully processed. The partner bank confirmed funds had been transferred without error.
A Similar Concern at Another Client
In the days that followed, another client of InvoicesForVendorsSoftwareAndServices noticed that payment details for one of their vendors differed from historical records and halted payment execution. This triggered an internal incident at the service provider.
What the Investigation Found
Initial checks showed no application errors or abnormal processing. But deeper investigation of the vendor details database revealed a large number of updates to bank account and communication details — all executed as ad hoc changes through the platform, all traced back to a single user account. There was no secondary review or independent validation step in place within the tool, meaning a single user with access had the ability to alter sensitive data.
The account had been compromised and was used to modify payment details, causing legitimate invoices to point to new bank account details belonging to an unknown recipient.
How the Account Was Compromised
The compromised account belonged to a vendor onboarding and data-entry role. It had broad permissions to modify vendor payment details across multiple clients and was protected only by username and password — MFA was not enforced.
Credentials were harvested through a targeted phishing attack — a look-alike login page. The attacker operated strictly within the account's legitimate permissions, making selective and low-volume changes that appeared routine. Only bank account numbers and email addresses were altered. Vendor names, invoice references, approval flows, and transaction amounts were deliberately left unchanged, allowing the activity to blend into normal operations and evade detection for multiple payment cycles.
- What process gap allowed the invoices to be approved and paid without independent verification?
- Why had ToysMakers not assessed the risk of an external tool compromise?
- Why were there no internal alerts or red flags for changes in vendor communication details or bank account information?
- Why was there no alternate or independent communication channel to validate invoices directly with the vendor?
- This incident exposes a significant gap in ToysMakers' vendor outsourcing and third-party risk assessment practices.