Understanding Vendor Email Compromise Attacks

While businesses are becoming increasingly aware of the dangers of social engineering, it’s important to remain ever vigilant because the tactics continue to evolve. Tactics like phishing remain a threat and there’s no doubt that the impact can be substantial. That being said, the impact is generally contained to one company. Vendor Email Compromise (VEC) on the other hand is an emerging social engineering tactic that not only compromises one company, but their entire supply chain.

These strikes are becoming increasingly more prevalent, as they bring the possibility of an even bigger payout for attackers. According to Armen Najarian, Chief Identity Officer of The Agari Cyber Intelligence Division (ACID) group, “on average, a Business Email Compromise (BEC) CEO fraud attack will generally pay out in the $50,000 to $55,000 range, but a successfully executed Vendor Email Compromise (VEC) attack will pay more than double at around $125,000 on average.”¹  According to Agari, “VEC is likely to overtake BEC as the single biggest potential financial fraud during the course of 2020.”²  That’s why it’s so important to watch out for and properly educate employees – especially those that receive and process invoices. 

Here’s what you need to know to prevent a VEC attack on your business.

What is Vendor Email Compromise (VEC)?

A VEC attack aims to take over the email account of a vendor. The attacker issues near-identical vendor invoices or billing documents to the often-larger client companies with new banking information in the hopes of diverting payments to themselves. The destination accounts are often accounts owned by the attacker, used to aggregate funds from multiple targets but, without a paper trail leading back to the attacker.
 
How do they do it?

• The VEC group sends phishing emails to the vendor's staff that include a malicious link.
• Once the vendors click on the link, they're redirected to a phishing login page where vendors are asked to log in using their credentials.
• Once the vendors enter their credentials, the attacker uses those credentials to set a forwarding rule to forward all emails received by the vendors to the attacker's email.
• The attacker then monitors the inbox for any emails regarding invoices or payments.
• If the attacker notices emails that contain invoices or payments, they will duplicate those invoices and send a modified invoice with new banking details pointing to an attacker owned account (often a mule account).
• The actual target customer is never phished or directly contacted.
• The vendor's customer makes a payment to the attacker's bank account thinking that the email invoice is from the vendor.

 
What to look for:

• Urgent requests to change bank account information or payment instructions.
• Updating account or payment information right before the normal payment cycle.
• Requests for one-time wire transfers or EFTs to a different bank or account number.
• Invoices from possible spoofed or suspicious looking email addresses.
• Invoices from representatives at the vendor organization that do not typically send invoices or are not recognized.

 
Prevention Techniques:

• Ask for confirmation of banking information or payment changes through another method:
• Telephone number published in the original intake form or published on the company's website (instead of using a phone number provided by the potentially compromised email).
• An alternate email address from the same domain (@companyxyz.com) but not provided by the compromised email address.
• Consider a secondary review of payment information changes by another team member to increase the probability of identifying unusual or suspicious information.
• Recommending preventative measures for vendors:
• Disallow email auto-forwarding rules.
• Ensure anti-phishing/suspicious email training is completed.

¹Townsend, K. (2019, November 4). Vendor Email Compromise is Latest Identity Deception Attack. Retrieved March 11, 2020
²Townsend, K. (2019, November 4). Vendor Email Compromise is Latest Identity Deception Attack. Retrieved March 11, 2020