Two years ago, we published a piece entitled “What to do about supply chain crime.” The occasion was a pandemic-era resurgence of a problem from the days of pirates, highwaymen, and train robbers: the physical theft of in-transit goods and materials. Criminals were becoming more brazen and inventive in their methods, we reported, but businesses and law enforcement had new tools that could, if properly applied, at least give businesses a fighting chance to roll back the tide of supply chain fraud and theft. We concluded on an upbeat note, adding as a cautionary aside that “there is increasing concern about cyber threats to the supply chain.”

What we didn’t see back then was how quickly generative AI (GenAI) would evolve and springboard into widespread use. In fact, GenAI has so far been of vastly more use to cybercriminals than to the people trying to stop them.

Cybercrime of all types is exploding, thanks to GenAI, and while you might think this would have taken some of the pressure off supply chain managers—whose responsibility is, after all, the flow of physical products and commodities through the three-dimensional world—the opposite has happened. GenAI has given supply chain managers more to worry about than ever, including previously unimaginable threats to the physical movement of supplies. Take, for example, the proliferation of invoice fraud, the blanket term for a range of scams that involve the creation and submission of fake statements of charges.

Are we still upbeat about the future of supply chain security? Yes. But the threats are continually changing and keeping pace with the bad guys requires more than new tools and strategies, though those are essential. It also requires old tools and strategies, such as tuning existing machine learning (ML) systems to detect fake invoices and insider fraud. It also means reinforcing traditional cybersecurity practices and collaborating with suppliers.

Fresh security risks, delivered right to your employees’ desks

In February 2024, news broke that a Hong Kong-based financial worker for a British engineering multinational company had fallen victim to an old scam in a dazzling, GenAI era package. The employee had received an e-mail, purportedly from the firm’s CFO, demanding an emergency wire transfer of funds, CNN reported.

Suspecting fraud, the worker demurred, but this was no garden-variety phishing attack. He soon found himself in a video meeting with the CFO, and a team of other familiar executives, who repeated the instructions. Suspicions calmed, the worker wired around US$25 million to the specified accounts. Only later did he learn, in the words of Hong Kong police, that “everyone [in the meeting] was fake.” Their faces and voices had all been digitally spoofed by GenAI.

The Hong Kong scam was unusually bold and sophisticated, but the scammers were using tools and methods that were well established.

According to digital security firm Onfido, 2023 saw a 3,000% increase in the incidence of so-called deepfake fraud, an explosion triggered and made possible by the breakthroughs in generative AI that grabbed headlines and public attention throughout the second half of 2022. If scammers can deepfake not only your own execs but also suppliers, distributors, and customers, it’s not hard to see how this technique will be applied in the supply chain context.

It’s not just deepfakes, though. According to Christopher Stephenson, head of AI strategy and operations at Nuix, an Australian software company specializing in investigative intelligence and analytics tools, GenAI has transformed and enhanced the full sweep of cybercriminal behavior, from top to bottom. Even those adorably typo-ridden e-mails from a “Nigerian prince” seeking help transferring funds from a kind-hearted stranger are on their way out, says Stephenson. In the age of ChatGPT, “those Nigerian princes can write better than your average person.”

The implications of GenAI-based threats for supply chain managers

For IT and HR departments and for anyone charged with organizational security, this wave of cybercrime powered by GenAI presents an obvious headache. But what has it meant for supply chain managers, who when we last checked were contending with a now-quaint-seeming boom in the theft of physical goods and materials?

Nothing good, unfortunately.

The tide of old-fashioned supply chain theft continues to rise. To what extent GenAI tools are helping drive this surge is hard to say, but with thieves becoming more organized and sophisticated in their methods, it certainly doesn’t help, as SupplyChainBrain noted.

More specifically, GenAI has sparked a renaissance in invoice fraud, in which bad actors submit fraudulent invoices, as noted by Rossum, a document-processing company. Formerly the preserve of specialists with a flair for forgery, immaculate fake invoices, like typo-free phishing e-mails, can now be produced in an instant “by anyone in humanity with access to a smartphone, laptop, and Internet connection,” as Stephenson puts it. Given that invoices are to supply chains what blood cells are to the human body, GenAI invoice fraud poses a new and truly existential threat.

And it’s not the only one. According to Christopher Pogue, a professor of business and computer forensics at Oklahoma State University, the more ambitious supply chain threat actors are already starting to shift from physical theft and invoice fraud to ransom and extortion schemes, which can deliver more and better results than regular cybercrime by orders of magnitude, Pogue says.

“Forget diverting a shipping container,” says Pogue. “What if you lock up a port?”

Pogue cites the 2023 cyberattack on DP World Australia when unidentified hackers accessed the internal systems of one of Australia’s largest port operators, as Reuters reported. The result? The port operator suspended activity for three days.

Whether the hackers used GenAI tools to breach DP World’s defenses is not yet known. Their goal appears to have been to steal employee data rather than hold supply chains hostage. Regardless, the attack proved the concept of what is likely to become the most lucrative form of supply chain crime. Ransomware gangs can multiply their targets by preying on ports and other points of failure in the supply chains of multiple companies.

Viewed in its entirety, this explosion in both the scale and the variety of supply chain crime threatens the profits and the very survival of modern businesses to a degree few could have envisioned only a few years ago.

“The financial impact is getting larger and larger,” says Mark Lokanan, who studies cybersecurity both as a professor at Canada’s Royal Roads University and as founder and CEO of Vedia Cloud Analytics. “If companies don’t have a stronghold on this particular subject, it could potentially lead to bankruptcy for some of them.”

Some old responses to the newest problems

“Fight fire with fire” goes the adage, and indeed the experts interviewed for this piece all report being contacted by panicked business leaders seeking GenAI-powered defenses to the proliferating GenAI-powered threats.

The problem is that there aren’t any. Not frontline defenses, anyway. Not yet. Much as Alfred Nobel’s invention of dynamite in 1867 was a force-multiplier for the bank and train robbers of the day but of no practical help to the law enforcement and railroad executives trying to stop them, so GenAI has been a boon to cybercriminals without bestowing any comparable advantages on law and order.

When it comes to fighting this particular fire, fire itself is not of much use.

Part of this asymmetry is obvious and structural. Beyond morality, a fraudster and a large language model (LLM) have the same core mission: to mimic content created by a human. Their efforts naturally dovetail. Conversely, a security person’s mission is to detect attempts at mimicry, distinguishing them from real content, and determining what is true . And truth is not GenAI’s strong suit, as legions of six-fingered advertising spokesmodels can attest.

But even if GenAI does one day train itself to excel at spotting fake invoices and exposing fraudsters, says Lokanan, companies still might find their hands tied. Raising and investigating suspicions of fraud is a delicate business, whether the suspect is a customer, a supplier, or one’s own employee.

To pre-empt counter-allegations of harassment, discrimination, or reckless reputational damage, companies must be able to explain why they suspect a particular actor of fraud. People are “going to need to see the math,” as Stephenson puts it. And if that math takes place within the famously murky, poorly documented inner workings of an LLM, companies may find it tricky proposition to defensibly substantiate their claims.

Action steps for supply chain leaders

What should supply chain leaders do? If generative AI can’t help roll back the tide of fraud unleashed by itself, can anything?

“There is no silver bullet,” cautions Stephenson. But experts tend to agree that a healthy blend of approaches, rather than overreliance on GenAI, is the best way to improve outcomes and mitigate the well-publicized risks .

1. Tune existing AI and ML systems to detect fake invoices

Traditional AI and ML systems can’t write poems or paint paintings. But what they’ve been doing well for more than a decade is combing through vast amounts of data, flagging patterns and anomalies. According to Lokanan, the coauthor of a seminal paper in the use of AI and ML to combat supply chain fraud, the simple flagging of anomalies can and will take companies a long way in the fight against systemic, relatively small-bore schemes such as invoice fraud—even when those schemes are turbocharged with GenAI.

Invoice fraud and most similar schemes exploit the mismatch between the dizzying volume of transactions involved in a modern supply chain and the finite commodity of human attention. By training AI systems to monitor transaction data in real time, human workers can spend more of their time investigating the anomalies and red flags thrown up by the machines. Not only that, says Stephenson, but well-trained AI systems can even increase the scale and quality of the human resources available for fraud detection by making “a junior investigator almost as good as a seasoned one.”

2. Target insider fraud

One area in which traditional AI and ML systems are showing particular promise, says Stephenson, is the fight against insider fraud. This is a key risk, with roughly 70% of supply chain and cargo theft taking place with participation, witting or not, of company employees.

The same AI systems that are so adept at finding red flags in a trove of transaction data can do the same with the internal communications between employees, at least the communications that take place on company-approved devices. No automated system can by itself determine when an employee has “gone rogue,” Stephenson concedes, but AI models can already detect such “nuances” in communications as a “disgruntled mindset,” a “sense of urgency,” or even early warning signs of suicidal ideation. These data points can then be cross-referenced with other variables, in particular those pertaining to previous instances of fraud, helping identify employees whose behavior may warrant further scrutiny.

3. Reinforce traditional cybersecurity steps

What of GenAI-powered ransom attacks and those more ambitious and lucrative one-off fraud attacks that are causing so much consternation?

Pogue, who has decades of security experience in the private and public sectors, including stints contracting to both the U.S. State Department and the Secret Service, says the answer is a counterintuitive dusting-off of old tools.

The oldest of those tools is what he calls “the basic blocking and tackling of cybersecurity.” Deepfakes are going to mature and proliferate and phishing schemes will become ever more sophisticated and convincing, but on organization-by-organization basis, companies can hold the line if they do “the easy stuff” and rededicate themselves to basic “cybersecurity hygiene.”

What does that mean in practice? Three things, says Pogue: “You patch [update software]; you teach people how not to get phished; and you use multifactor authentication wherever you can.”

4. Collaborate with suppliers

The problem with working with partners, of course, is what we previously wrote about: the length, complexity, and entanglement of supply chains in the age of globalization and digital commerce. Training one’s own employees in good cybersecurity hygiene is a worthy best practice, but it’s no defense against a ransom attack on some far-flung foreign port in your supply chain.

Said another way: It pays to share best practices and to work with suppliers to adhere to them. There is a growing acceptance that companies must not only trust their partners up and down the supply chain but also monitor and verify their activities in real time, Stephenson says.

AI and GenAI tools to facilitate this whole-chain visibility are already being deployed, as are legal and governance structures to ensure compliance. As Stephenson points out, these kinds of visibility pacts are becoming more common and accepted, as companies work to update their policies on not only cybersecurity but also privacy, sustainability, and environmental, social, and governance (ESG). “In our fast-moving, hyperconnected world, businesses operate more and more like a vibrant ecosystem these days,” says Stephenson.

When it comes to managing supply chain risks, the only guarantee is that everything is bound to change. That means bad actors will work to develop new threats using GenAI, just as they will look for fresh means to exploit vulnerable systems. It will be up to supply chain leaders to continue deploying tested means for defense while experimenting with their own GenAI systems to detect and identify new threats to mitigate.

Read more