While Macy’s centennial Thanksgiving DayParade in NYC may have once again thrilled the audience gathered in front of its flagship store, all is not well on the inside. 

The Gist

In a recent press release, Macy’s announced it would have to delay the company’s quarterly earnings report after discovering a single employee concealed up to $154 million in expenses over nearly three years. Here are some of the key details from the release:

• The unnamed employee deliberately hid small package delivery costs from Q4 2021 to Q3 2024.
• The hidden expenses represent about 3-3.5% of Macy's $4.36 billion in delivery costs during this period.
• Macy's has initiated an independent forensic accounting investigation.

Why it Matters

This incident highlights the sign if i cant impact internal fraud can have on large organizations, potentially affecting financial reporting, investor confidence, and overall business operations. 

Today, every company, big or small, is a target for business payment fraud

A Look at the Numbers

• According to a 2024 Insider Threat Report, 48% of organizations reported that insider attacks have become more frequent over the past 12 months. Additionally, 51% experienced six or more attacks in the past year, with the average cost of remediation exceeding $1 million for 29% of respondents.
• The same research reports that the technology and telecommunications sector were the most affected by insider threats, attributing this to complex IT environments and the rapid adoption of new technologies such as AI and IoT, which have expanded the attack surface and introduced new vulnerabilities that insiders can exploit

Why Insider Threats Succeed

The Information Systems Audit and ControlAssociation (ISACA) is a professional association with 180,000 members who workin digital trust fields. In July, ISACA published a paper titled WhySo Many Organizations Underestimate Insider Threats. In thereport, they identified four primary drivers related to human nature, not a technology or attack technique. 

These include:

• The first was simply known vs. unknown. We tend to distrust unknown factors more than known factors. 
• The next driver was inherent trust. Nobody hires people they don’t trust.
• Next is a fundamental miscalculation of risk. Much of he energy and noise in cybersecurity is focused on external threats, the various attacks, threat actor groups, and nation-states driving them when, in fact, an insider is involved in data breaches 60% of the time. 
• The final driver was budget. They believed cybersecurity experts would likely prioritize guarding against external threats over  insider threats.

But it's not just the human factor. The partner ecosystem and business payment process are target-rich environments for internal and external fraudsters.  Vendor management is complex, especially for businesses with hundreds or thousands of third-party suppliers.These companies are particularly susceptible to insider and/or external attacks because they are not able to continuously monitor and enforce proper security protocols and controls throughout the lifetime of each individual vendor relationship.

Another unique type of threat that businesses struggle with is the malicious insider. Unlike external attackers, who need to invest heavily in surveillance and information gathering to discover where their target's soft belly is, the insider has a distinct advantage: They already intimately know the organization's inner workings. This is exactly what occurred at Macy’s and in 2023 at Apple when an employee swindled $17 million through kickbacks, inflated invoices, and more.

Trustmi’s Take

To combat internal fraud such as what transpired at Macy's and Apple, companies should implement comprehensive payment security solutions that offer end-to-end protection and utilize AI and machine learning to detect abnormal payment activities, perform real-time risk assessments, and identify insider threats. By automating financial processes and providing full visibility from vendor onboarding to payment release, these solutions reduce manual errors and increase transparency. 

Companies should also prioritize implementing advanced fraud detection systems, regularly audit their financial processes, and foster a culture of ethical behavior. Last but certainly not least, invest in strengthening an organization's defense against internal fraud by training employees on fraud prevention while establishing clear reporting mechanisms that make it quick and easy to report suspicious activities.

‍