The anatomy of vendor email compromise

Slow play attacks with a big payout

Business email compromise (BEC) attacks have evolved

Phishing scams have long plagued organizations across the globe, from spear-phishing targeted employees to more general advanced-fee fraud, in which a small fee is requested in exchange for a larger payout.

Recently, a new technique — vendor email compromise, or VEC — is upping the stakes for businesses who want to protect their users from scams.

Like business email compromise (BEC) attacks, VEC works by impersonating a trusted third party and sending a legitimate-sounding but malicious email to a target. While traditional BEC attacks usually claim to be from a trusted individual within the organization, VEC goes one step further: it impersonates vendors (or other trusted third parties) in order to trick the target into paying fraudulent invoices, disclosing sensitive data, or granting access to corporate networks and systems.

According to a recent survey, 98% of firms surveyed have been negatively impacted by a cyber security breach that occurred in their supply chain. And the cost to organizations is severe. In one attack, a Toyota Group manufacturer lost more than $37 million following fraudulent payment directions from a malicious third party. Overall, the FBI reports that BEC attacks (of which VEC are a subset) have collectively accounted for $43 billion in losses over the past five years.

Due to the personalized nature of VEC, identifying a malicious request can be extraordinarily difficult — even for practiced security professionals. And these attacks are becoming more common, in part because of a global shift to remote work and cloud-based email systems, which may not have native or enabled phishing-resistant security features.

Staying ahead of these evolving phishing techniques requires a multi-pronged email security strategy designed to detect and flag suspicious email extensions and URL changes, validate domain names, and rigorously vet third-party requests.

How VEC works

Vendor email compromise, also referred to as “financial supply chain compromise,” is more sophisticated and targeted in nature than standard BEC attacks, which don’t necessarily have to be tailored to an individual to work.

In a BEC attack, an attacker impersonates a specific individual within an organization — often a CEO or someone with authority. Then, they send requests from that individual to multiple targets within the organization.

For example, an attacker might send generic payment requests to employees while claiming to be the company’s CEO. Although the requests might sound legitimate, they are relatively easy to disprove if the employee confirms the request with the actual CEO themselves.

By contrast, VEC generally requires a greater understanding of existing business relationships — like ongoing project details, budget data, and financial transaction schedules. This research process may take weeks to months, but the potential payoff for the attacker is far greater than more generalized attack methods, as it can take a significantly longer time for the target to identify the attack and stop payments from going through.

Once an attacker has convinced their target to interact with them, they can carry out further malicious actions: requesting payment for fake invoices, tampering with billing account details, gathering sensitive information about the targeted organization, and so on.

The diagram above demonstrates a VEC attack sequence, one in which the attacker infiltrates a vendor’s email account to carry out fraudulent payment requests.

How VEC plays out in the real world

In a recent series of attacks, the FBI found that attackers were impersonating US-based construction companies — an industry that averages $1.9 trillion in annual revenue. Attackers researched the top construction companies in the country and collected both public and private data about the companies’ client bases.

Then, the attackers used domain spoofing to create email accounts from which they could launch fraudulent communications with the targeted organizations, often requesting a change in bank account details. Using VEC tactics, in which they tailored email messages, invoice requests, and direct deposit changes to each target (based on the data they had already collected), attackers defrauded organizations of “hundreds of thousands to millions of dollars.”

Frequently, the FBI noted, it took “days or weeks” before victims even noticed the attack had been carried out. And financial recovery options were limited: when one school district mistakenly wired $840,000 to a fraudulent construction company, they were only able to recover $5,000 of the stolen funds.

How to identify VEC attempts

Like most advanced phishing attacks, VEC is difficult to detect. Attackers often use a combination of attack methods to make their messages appear real, whether by spoofing the domain of a reputable vendor or by providing details that may not be public information in order to “prove” their legitimacy.

There are three primary reasons VEC attacks typically evade detection:

1. The initial supplier or vendor does not realize they are compromised.

2. The campaign happens over extended periods of time and multiple email threads, where most of the conversation is benign and lacks a malicious payload.

3. Calls to action (e.g. paying a recurring invoice) are not flagged as suspicious because they are designed to sound normal and non-urgent.

To prevent VEC, organizations need a security partner that can help verify incoming emails and mitigate fraudulent activity. Some helpful strategies for preventing VEC include the following:

• Configure email settings to identify and block phishing attempts. Use rigorous security protocols to scan and flag malicious email messages.

  • Prevent email spoofing by using email authentication protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC)

  • Deprecate less secure email protocols like POP, IMAP, and SMTP

  • Flag suspicious-looking URLs with intrusion detection system (IDS) rules

  • Use multi-factor authentication (MFA) to verify third-party access and requests for account-level changes (such as password reset)

• Vet third-party transaction requests. Verify all transaction information and account details with the appropriate parties before approving requests to transfer funds. Additionally, incorporate a formal review and approval process when bank information has been modified by an existing vendor.

• Educate employees on emerging scams. Phishing techniques are continuously evolving to evade mitigation. Routinely educate employees on common signs of email threats in order to lower the likelihood of a successful attack.

  • Enforce any mitigation methods and internal processes your organization has developed to identify email-based attacks.

  • Train users to examine emails for common phishing elements — typos in domain names, hyperlinks that contain variations of real URLs (e.g. “RealCo.com” instead of “RealCompany.com”), etc.

  • Encourage employees to practice good email hygiene — do not respond to unsolicited or urgent email requests for personal or financial information.

Detect and prevent VEC with Cloudflare

Cloudflare email security protects against a wide range of attacks, including targeted, long-term vendor email compromise attempts. Through a combination of web crawling, pattern analytics, and advanced detection techniques, it scans the Internet for attacker infrastructure, analyzes messages to identify suspicious elements, and blocks phishing emails from reaching the inbox.

This advanced email protection is powered by Cloudflare’s global network, which blocks an average of 209 billion cyber threats per day — giving organizations unique threat intelligence data that allows them to more effectively filter out targeted phishing attacks and other cyber threats. And, as part of the Cloudflare Zero Trust platform, it helps provide continuous, comprehensive security for remote and office users alike.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• How VEC attacks infiltrate organizations

• The warning signs of a VEC attack

• Strategies to identify and stop sophisticated phishing scams

Related resources

• Phishing Risk Assessment

• Webinar: Phishing and Business Email Compromise

• It Started Out with a Phish: 2021 Email Security Report

• Datasheet: Cloudflare Email Security