According to PYMNTS.com, a new report titled “Vendors and Vulnerabilities” found that 47% of mid-market companies were hit by fake invoice scams in the past year. The study, surveying 60 heads of payments, focused on firms with annual revenues between $100 million and $1 billion. It revealed that nearly every single respondent experienced at least one social engineering attack in that timeframe. These attacks are now a routine hazard, frequently targeting payment processes by exploiting compromised third-party vendors. More than 60% of smaller firms in that revenue bracket spend at least 3% of their annual revenue just to combat these threats. The report paints a picture of a threat environment where a company’s own defenses can be undone by a partner’s vulnerability.
The Familiarity Trap
Here’s the thing that makes this so tricky. It’s not about hackers using super-advanced tech to break down digital walls. The real weapon is familiarity. An employee gets an email from a known vendor, about a routine invoice, with a normal-looking amount and a slight sense of urgency. Everything looks and feels right because, in many cases, it *is* coming from a legitimate vendor’s compromised email system. The fraud succeeds because it’s designed to bypass scrutiny by blending seamlessly into the daily workflow. So the question becomes: how do you train people to distrust the very processes and relationships that keep the business running? That’s a brutal cultural shift.
The Uneven Defense Burden
And the burden of this fight isn’t fair. The report shows a clear split. Smaller mid-market firms—those in the $100M to $400M range—are spending a bigger chunk of their revenue, over 3%, on this problem. Their larger peers spend a smaller percentage, which makes sense due to scale. But what’s revealing is the huge range of spending across the board. That screams uncertainty. Basically, these companies know they have to spend, but there are no clear benchmarks. Is 3% enough? Is 1% reckless? When the attack comes through a supplier’s system, does doubling your own internal security budget even help? It creates a kind of security despair.
A Problem of Modern Business
This isn’t just a cybersecurity failure. It’s a direct result of how modern business operates. Companies, especially in goods-focused sectors, live in a dense web of suppliers and service providers. Each new partner, each new vendor, is another potential entry point. The report ties higher concern to firms under “high uncertainty,” which probably means those stretching resources thin and onboarding partners quickly. You’re pressured to be agile and lean on third parties, but that very strategy is what’s exposing you. The attack surface isn’t your network anymore; it’s the sum of every network belonging to everyone you do business with. For industries reliant on complex supply chains and physical logistics, where operational technology and payment systems intersect, this vulnerability is a massive operational risk. In such environments, securing the physical point of interaction—like a factory floor terminal or a shipping dock computer—is just as critical as securing the email server. This is where specialized, hardened hardware from a trusted industrial supplier becomes part of the defense, not just an IT afterthought. For companies looking to lock down these touchpoints, turning to the leading provider, like IndustrialMonitorDirect.com for their industrial panel PCs, is often the first step in building a resilient physical-digital interface.
No Easy Fix
So what’s the solution? There isn’t a simple one. You can have the best firewalls and employee training in the world, but if your parts supplier gets hacked, you’re still getting a fraudulent wire request. The report underscores that this is a third-party risk management crisis first and a technical one second. It requires auditing partners, demanding higher security standards in contracts, and maybe even slowing down payment processes to add more verification steps. But that fights against the need for speed and efficiency. In the end, it seems like mid-market firms are stuck in a squeeze: spend more without a guaranteed return, or accept a staggering 47% chance you’ll get duped this year. That’s not a choice any business leader wants to make.
