Feature: Phantom suppliers in digital procurement

Giles Hamlin, Global Head of GRC Services at LRQA, explains why identity is the new battleground.

Digital procurement has become the engine room of modern business. Where supplier selection and due diligence once relied on paper trails, phone calls and in-person verification, organisations are now starting to use automated platforms, cloud marketplaces and AI-driven risk scoring. This transformation has unlocked remarkable speed and scalability, but it has also created a profound new vulnerability: a growing trust gap.

Procurement today is built on digital identity. Every vendor profile, contract and transaction depends on the assumption that the counterparty is who they claim to be. Yet as onboarding, verification and monitoring increasingly shift to automated systems, this assumption becomes fragile.

Within that fragility lies the perfect opportunity for a new kind of threat actor – the phantom supplier. Phantom suppliers are digital ghosts, or vendors that appear legitimate in procurement systems but lack any genuine, verifiable existence. They may be fabricated identities, hijacked accounts, or cloned versions of real companies.

Unlike traditional procurement fraud, which relied on fake invoices or isolated scams, phantom suppliers exploit the very systems designed to improve efficiency. They register directly in procurement platforms, build credibility through automation and then exploit trust at scale.

A single phantom supplier can:

• Receive payments via auto-approved purchase orders
• Deliver counterfeit or malicious goods
• Insert malware through software updates or digital integrations
• Launder funds or disguise connections to sanctioned entities

The difference lies in persistence. A fake invoice may succeed once, whereas a phantom supplier can operate undetected for months, quietly draining funds, compromising systems or corrupting data.

When automation forgets to ask ‘Who?’

Automation was introduced to make procurement faster and less error-prone. Machine learning models can score supplier risk, approve contracts and even initiate payments, often with minimal human intervention.

Yet, these systems rely on clean, verified data. If a phantom supplier slips past initial onboarding, every subsequent automation process reinforces their legitimacy.

An AI-driven risk engine might mark them as ‘low-risk’ based on perfect delivery records due to a failure to recognise that those records are fabricated. Procurement bots might prioritise them for repeat orders due to fast response times, never realising they are feeding a fraudulent entity.

This doesn’t mean automation is the enemy. Rather, it must be balanced with oversight. A human-in-the-loop approach, where technology accelerates decisions but humans remain the final arbiters of trust, is vital.

Cloud marketplaces – speed vs. certainty

Cloud marketplaces have transformed procurement by allowing teams to onboard software vendors and infrastructure providers in minutes. But the same frictionless experience that fuels productivity can be weaponised.

Phantom suppliers exploit the drive for speed, posing as legitimate vendors offering attractive prices or specialised services. Once onboarded, they may deliver functional yet compromised tools which in turn embeds backdoors, exfiltrating data or providing a bridge for future cyberattacks.

In many cases, these phantom suppliers operate entirely within legitimate digital ecosystems. Their presence doesn’t look like a breach, it looks like business as usual. This creates a dangerous irony where the tools designed to accelerate transformation can also accelerate infiltration.

Blockchain and the illusion of transparency

Blockchain technology is often hailed as the solution to supply chain opacity. Transactions are concrete, transparent and traceable. But what’s crucial to remember is that these qualities apply to data, not to identity.

If a phantom supplier enters a blockchain-based procurement network, their fraudulent identity becomes permanently recorded, and often irreversibly ‘verified’. Removing or correcting that record undermines the chain’s integrity, making it difficult to remediate without reputational damage.

Blockchain, therefore, is not a silver bullet for supplier authenticity. Without rigorous off-chain identity checks and continuous validation, even the most transparent systems can be deceived.

From ghosts to zombies

Not all phantom activity originates from outside the organisation. Many companies harbour dormant or inactive supplier accounts, for example the remnants of old relationships, discontinued projects or defunct entities. These ‘zombie vendors’ often remain in systems long after they should have been deactivated.

Cybercriminals know this and actively target legacy vendor accounts. By hijacking these digital identities, attackers can issue new orders, redirect payments or distribute malicious content under a legitimate name.

The challenge is that traditional audits rarely catch these anomalies because they are periodic and reactive. By the time an audit is conducted, the damage may already be done.

The solution lies in continuous assurance: a proactive model of supplier governance that constantly validates identities, flags irregular activity and removes redundant access before it can be exploited.

‘Always on’ continuous assurance and countermeasures

Continuous assurance represents a shift from one-time verification to ongoing vigilance. It combines data analytics, behavioural monitoring and real-time alerts to ensure supplier legitimacy throughout the lifecycle of a relationship.

Key practices include:

• Enhanced supplier verification: Cross-checking identities against business registries, sanctions lists and digital footprint analysis.
• Lifecycle management: Regularly reviewing supplier activity to identify inactivity, anomalies or changes in ownership.
• Automated anomaly detection: Harnessing AI for good, to highlight deviations in ordering patterns, payment timing or communication behaviours.
• Human review loops: Integrating expert oversight into every step, ensuring context and intuition are not lost.

This model doesn’t replace audits, rather, it evolves them and build on them. Instead of providing retrospective assurance, it builds live assurance into everyday procurement operations.

In addition to a continuous assurance mindset and model, teams should take steps to integrate technological countermeasures and cybersecurity too.

As generative AI evolves, so too will the sophistication of phantom suppliers. Synthetic documentation, AI-written proposals and even deepfake video calls can be used to create convincingly authentic vendors.

Imagine a scenario where a supplier onboarding team receives a video verification call from a ‘company director, complete with matching ID and credentials, only for the entire interaction to be AI-generated. This is no longer science fiction. Criminal groups are already experimenting with synthetic identities and deepfakes to bypass due diligence checks.

Defending against this next generation of phantom suppliers will therefore require equally advanced countermeasures:

• AI models trained to detect falsified documentation and behavioural inconsistencies
• Cross-verification of supplier data across multiple independent registries
• Zero-trust architectures that treat every supplier interaction as potentially compromised until verified.

The missing link: collaboration

Phantom suppliers thrive in organisational silos. Procurement focuses on efficiency, finance on budgets, cybersecurity on networks. Rarely do these teams share data or align on shared threat intelligence.

To close the trust gap, collaboration must become standard practice. Procurement teams need to treat supplier risk as an extension of cybersecurity risk. Cybersecurity professionals, in turn, must consider supply chain data as part of their threat landscape. Cybersecurity is business security.

When finance, IT and procurement work together, red flags emerge sooner: mismatched invoices, unverified bank details, suspicious supplier domains. Shared visibility creates resilience.

A new frontline for cybersecurity

The story of digital procurement has so far been one of acceleration: faster onboarding, automated approvals, seamless transactions. But as the technology matures, the narrative must evolve from efficiency to resilience.

True digital maturity means understanding that speed and security are not mutually exclusive. Organisations must slow down at the right moments: to verify, to question, to validate identity.

Phantom suppliers reveal the uncomfortable truth that trust cannot be automated. It must be designed, tested and continuously reinforced.

At LRQA, we work with global organisations to embed this philosophy, building resilience through continuous assurance, data integrity and governance frameworks that make trust measurable.

Procurement is not a back-office function, it’s a new frontline defence in the battle for digital trust. The integrity of your suppliers determines the security of your systems, your data and your reputation. The emergence of phantom suppliers is a governance and risk issue that touches every part of an organisation.

To stay ahead, businesses must:

• Recognise identity as infrastructure: Treat supplier verification with the same rigour as user authentication.
• Adopt continuous assurance: Move from static audits to dynamic monitoring.
• Invest in culture: Empower teams to question anomalies and challenge automation when something doesn’t feel right.
• Collaborate across functions: Align procurement, finance, IT and cybersecurity teams around shared objectives of trust and transparency.

Assessment models, such as ISO 27001 and SOC 2 Type 2 can offer a strong contribution towards addressing the risks of phantom suppliers, whilst also providing assurance to an organisation’s clients that supplier risk is being effectively managed.

Phantom suppliers will continue to exploit digital complexity and automation gaps. But by combining technology with human intelligence, and embedding trust at the core of procurement, organisations can turn the tables.

In an era where identity is the new battleground, resilience begins with knowing who you’re really doing business with.