search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Security


TACKLING PHANTOMS, GHOSTS AND ZOMBIES


Giles Hamlin, Global Head of GRC Services at LRQA, explains why identity is the new battleground.


D


igital procurement has become the engine room of modern business. Where supplier selection and due diligence once


relied on paper trails, phone calls and in-person verification, organisations are now starting to use automated platforms, cloud marketplaces and AI-driven risk scoring. Tis transformation has unlocked remarkable speed and scalability, but it has also created a profound new vulnerability: a growing trust gap. Procurement today is built on digital identity.


Every vendor profile, contract and transaction depends on the assumption that the counterparty is who they claim to be. Yet as onboarding, verification and monitoring increasingly shiſt to automated systems, this assumption becomes fragile. Within that fragility lies the perfect opportunity for a new kind


of threat actor – the phantom supplier. Phantom suppliers are digital ghosts, or vendors that appear legitimate in procurement systems but lack any genuine, verifiable existence. Tey may be fabricated identities, hijacked accounts, or cloned versions of real companies. Unlike traditional procurement fraud, which relied on fake


invoices or isolated scams, phantom suppliers exploit the very systems designed to improve efficiency. Tey register directly in procurement platforms, build credibility through automation and then exploit trust at scale. A single phantom supplier can: • Receive payments via auto-approved purchase orders • Deliver counterfeit or malicious goods • Insert malware through soſtware updates or digital integrations • Launder funds or disguise connections to sanctioned entities Te difference lies in persistence. A fake invoice may succeed once, whereas a phantom supplier can operate undetected for months, quietly draining funds, compromising systems or corrupting data. When automation forgets to ask ‘Who?’ Automation was introduced to make procurement faster and


less error-prone. Machine learning models can score supplier risk, approve contracts and even initiate payments, oſten with minimal human intervention.


44 | January/February 2026 Yet, these systems rely on clean, verified data. If


a phantom supplier slips past initial onboarding, every subsequent automation process reinforces their legitimacy. An AI-driven risk engine might mark them as


‘low-risk’ based on perfect delivery records due to a failure to recognise that those records are fabricated. Procurement bots might prioritise them for repeat orders due to fast response times, never realising they are feeding a fraudulent entity. Tis doesn’t mean automation is the enemy.


Rather, it must be balanced with oversight. A human- in-the-loop approach, where technology accelerates


decisions but humans remain the final arbiters of trust, is vital.


Cloud marketplaces – speed vs. certainty Cloud marketplaces have transformed procurement by allowing teams to onboard soſtware vendors and infrastructure providers in minutes. But the same frictionless experience that fuels productivity can be weaponised. Phantom suppliers exploit the drive for speed, posing as legitimate


vendors offering attractive prices or specialised services. Once onboarded, they may deliver functional yet compromised tools which in turn embeds backdoors, exfiltrating data or providing a bridge for future cyberattacks. In many cases, these phantom suppliers operate entirely within


legitimate digital ecosystems. Teir presence doesn’t look like a breach, it looks like business as usual. Tis creates a dangerous irony where the tools designed to accelerate transformation can also accelerate infiltration.


Blockchain and the illusion of transparency Blockchain technology is oſten hailed as the solution to supply chain opacity. Transactions are concrete, transparent and traceable. But what’s crucial to remember is that these qualities apply to data, not to identity. If a phantom supplier enters a blockchain-based procurement


network, their fraudulent identity becomes permanently recorded, and oſten irreversibly ‘verified’. Removing or correcting that record undermines the chain’s integrity, making it difficult to remediate without reputational damage.


www.pcr-online.biz


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52