Vendor email compromise is a type of business email compromise attack that impersonates a third party vendor to attack the vendor’s customers or suppliers.
After reading this article you will be able to:
Related Content
Business email compromise (BEC)
BEC attacks are becoming more costly
Phishing attack
How to prevent phishing
Spear phishing
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Vendor email compromise, also referred to as “financial supply chain compromise”, is a targeted type of business email compromise (BEC) attack in which attackers impersonate a third-party vendor in order to steal from that vendor’s customers. Vendors often work with a variety of customers — by compromising and impersonating the vendor, attackers can persuade multiple targets to give up money or sensitive information.
Business email compromise (BEC) is a type of social engineering attack that takes over the victim’s emails. In a BEC attack, the attacker falsifies an email message through plain text to trick the victim into a predetermined set of actions, such as revealing sensitive data.
BEC is notable in that it often targets a specific individual within an organization. BEC is often difficult to detect. The emails can easily go unnoticed by traditional email security solutions because they do not contain malware, malicious links, dangerous email attachments or other elements the email security solution uses to filter and identify phishing emails. BEC emails use plain text carefully designed and crafted to trick the recipient and to avoid existing security techstack. The emails are typically phrased in a way that mimics the tone and content of trusted senders such as coworkers or CEO, which helps trick the recipient into engaging with them.
While vendor email compromise attacks are a type of BEC attack, they are not necessarily the same. A typical BEC attack campaign targets a personal or executive to obtain confidential information, while a vendor email compromise campaign typically requires a greater understanding of existing business relationships, such as payment structures, financial information and existing vendor-client processes. The research process of a vendor email compromise may take weeks to months and the potential payoff for the attacker is far greater.
Vendor email compromise attacks are sophisticated, complex, and hard to detect. They can take months, if not years, to design, infiltrate, and fully implement. However, there are common steps to every vendor email compromise attack:
Vendor email compromise campaigns affect two different victims — the compromised vendor, and the vendor’s customers or suppliers.
Compromised vendors may experience reputational damage and financial losses in the form of misdirected payments. The attacker can gain access to funds meant for the vendor by redirecting client payments to an attacker specified account. And once the attack campaign is discovered, the vendor’s reputation may take a hit due to fears that an existing or potential client’s private data will be exposed.
In addition, the “final” targets – the clients or suppliers targeted from the compromised vendor account – may suffer steep financial losses, loss of service, and a jeopardized supply chain.
One example of a vendor email compromise attack is the December 2020 attack on nonprofit One Treasure Island. Attackers impersonated a third-party bookkeeper, infiltrated existing email chains, and sent a payment transfer request email with alternative wire transfer instructions. One Treasure Island staff member transferred a large payment meant for the partner into the attacker’s account, losing $650,000. This attack led to financial losses, loss of service and a jeopardized vendor for One Treasure Island, and reputational and financial loss for the compromised third-party bookkeeper.
Cloudflare email security protects against a wide range of attacks, including preventing sophisticated and hard-to-detect targeted vendor email compromise campaigns. This advanced email protection is powered by Cloudflare’s global network, which blocks an average of 86 billion threats a day. As part of the Cloudflare Zero Trust platform, it helps provide continuous, comprehensive security and makes it easy for vendors and organizations to enforce secure, cloud-native, on-premise security solutions.