A purchasing manager at a midsize company receives a message from the CEO that a stock supplier is offering a 30% discount if they pay their bill by Friday.

SMS contains bank account number. Despite being suspicious, the purchasing manager decides to wire the money a few hours later, reassured by a voice message from the company manager asking to pay the bill again.

Shortly after sending the money, the entire interaction turns out to be a sophisticated phishing scheme. The villain found out the name of the company’s newsagent and then sent out a voicemail manipulating the CEO’s voice with snippets of public speeches and salary speeches.

The real-world scenario presented by John Pescatore, Emerging Security Trends Director at SANS Institute, shows how phishing and cyber attacks on supply chains have become more sophisticated in recent years.

Supply chain attacks, which occur when an attacker enters a system through a third party, are expected to continue. The Identity Theft Resource Center, which tracks publicly disclosed breaches, found that supply chain security breaches will far outnumber malware breaches in 2022. In addition, the number of attacks on supply chains in the first two months of 2023 is already 40% of the number of attacks last year.

Pescatore joined cybersecurity training provider SANS after 13 years at Gartner and has worked with dozens of companies of all sizes to prevent their supply chains from being compromised.Speaking to Supply Chain Dive, he explained why leaders need to take supply chain security seriously and what they can do to prevent an attack.