The risks of manual routines
Written by The editorial team

Many cyber-attacks don't start with technology, but by manipulating people. Cybercriminals often focus their attention on finance teams, looking for opportunities in familiar routines and vulnerabilities. They take advantage of trust, busy workdays, and the patterns we rely on every day.
This year, the EU's cybersecurity agency, ENISA, has chosen to focus on social engineering during Cyber Security Month 2025. It's not without reason - it's often people, not technology, that are the weakest link in the security chain.
Here's how cybercriminals exploit human psychology 🧠
1. Trust and confidence
We're wired to trust each other, especially in established relationships. Cybercriminals know this and can very easily pretend to be someone you have an established trust in. The most common and effective method is executive fraud, where a fraudster poses as a manager and asks you to make a "confidential" and important payment.
2. Stress
A busy life with tight deadlines is a scammer's best friend. When we're stressed, we make quicker decisions and are less likely to double-check details. Cybercriminals create an artificial sense of urgency with clear instructions:
"HASTER": Betalingen skulle vært gjort i går!
"KONFIDENSIELT": Du må ikke involvere andre.
"STRAKS": Jeg er utilgjengelig på telefon, bare få det gjort!
These triggers are designed to get you to act before you have time to think.
3. Routines
When we do a task for the hundredth time, we go on autopilot. This is effective, but also dangerous. A manual, routine workday is an invitation to overlook critical details.
The classic example is invoice fraud by changing the account number.
You receive an invoice from a well-known supplier. Everything looks the same - logo, layout, amount. But in one small sentence it says: 'Please note that we have changed our bank connection. The new account number is...'
Because 99% of the information is known and correct, our brains are trained to approve the one percent that has changed. The autopilot has taken over.
Manual processes: An open invitation to hackers
So why are these psychological attacks so effective? Because manual and fragmented work processes create the perfect vulnerabilities.
"Many people think, 'we've always done it this way, and it's been fine.' But in today's threat landscape, this mindset can be dangerous. A traditional, manual invoice process has several inherent weaknesses that cybercriminals know how to exploit."
Torgeir Lyngstad, Product Line Manager, Compello.
We can break down the risk like this:
1. Lack of overview and control:
Paper invoices or emailed PDFs are difficult to track. Who has approved what? Is this a real invoice or a copy? Without a centralized system, there are blind spots that are perfect for fraudsters.
2. High risk of human error:
Manually punching in Payment Reference Number and account numbers is a significant risk factor. A small typo can send money to the wrong recipient, or in the worst case - to a fraudster.
3. Vulnerability to internal fraud:
Manual systems often lack robust access controls and a clear audit trail. Unfortunately, this makes it easier for someone with dishonest intentions to manipulate payments.
4. Ineffective exception handling:
What happens when an invoice doesn't match the purchase order? In a manual process, this requires time-consuming detective work. Fraudsters often take advantage of this chaos, hoping that busy employees will approve the invoice to get it out of the way.
"View every manual task as a potential risk. And it's not the employees' fault – the lack of a robust system is the real weakness."
Torgeir Lyngstad, Product Line Manager at Compello .
Here's how to close the security gaps: Good habits for employees and systems
Securing your business is about two things: strengthening your human firewall and implementing systems that reduce risk.
Practical tips for employees:
- Think before you click: Always be wary of emails that create urgency or ask for sensitive information. Look for discrepancies in the sender's email address, bad language and unexpected changes in account numbers. In doubt? Wait and check it out before clicking any links or making payments.
- Use strong and unique passwords: Do not reuse passwords across services. Use a password manager to create and store complex passwords.
- Turn on multi-factor authentication (MFA) where you can: This is one of the most effective single measures you can take. It adds an extra layer of security that stops the vast majority of account hijackings.
Establish good system routines:
- Secured supplier register: Establish a set routine for changing supplier data. Changes to account numbers should never be accepted based solely on an email. This must be verified through another channel. A good invoicing system can notify you automatically when such information changes.
- Digitize and automate: The best way to remove human, manual risk is to remove as many of the manual tasks as possible. An automated invoicing system gives you tracking, access control, audit trails and fixed approval flows that can't be bypassed by a stressful email.
ENISA sees that even the most advanced technical security measures have little effect if an employee unknowingly opens the door for the attacker. By focusing on social engineering, they shift the attention from pure technology to human behavior.