The amount of publicly available information about companies and business relationships makes it easy for one to stay up-to-date on the happenings within and around an organization with just a quick search. However, with the increase of public information bad actors can just as easily uncover this information for their own gain.
While traditional email scams are still prominent, financial fraud threats are carefully crafted for/to the organizations at the receiving end of these targeted attacks. According to the 2022 Email Security Threat Report, the Armorblox research team saw a 73% increase in financial fraud email threats year-over-year from 2021 to 2022. And 44% of these financial fraud attacks were sophisticated, targeted attacks such as wire fraud, invoice fraud, or vendor fraud.
How Attackers become Knowledgeable about Vendor Relationships that can be Exploited
Bad actors can easily become privy to the relationships of the target business(es), trusted vendors and third-party contacts, and common business email workflows. Attackers gain knowledge about each organizations’ vendor relationships through utilizing publicly available information as well as compromising trusted vendor or supply chain partner accounts.
Unfortunately, it's quite easy with some quick internet sleuthing to uncover details around the vendors and third-party contacts organizations are frequently in contact with. For example, bad actors can easily obtain this information when businesses post information about trusted clients or vendors on websites or via press releases. With the amount of information on the internet constantly growing, bad actors are continuously being given the opportunity to strike.
Companies usually have varying levels of security hygiene and compromising one weak link in a supply chain can result in compromising the entire chain. Attackers lean into this when looking to compromise trusted vendors, suppliers, or third-party contacts in communication with the target organization. After successfully compromising trusted accounts, bad actors have full access to the nature of the business relationship; including gaining access to invoices, confidential business data and information, and bank accounts and routing numbers, of which they can leverage to craft targeted and financially damaging attacks.
Armorblox Vendor and Supply Chain Attack Protection
In order to protect against the misuse of trusted vendor and third-party relationships and confidential information, Armorblox continuously monitors vendor communications for indicators of compromise in order to provide proactive remediation against these costly attacks.
Armorblox automatically identifies and monitors vendors and business workflows
In order to protect against vendor fraud attacks, Armorblox first monitors all email communications for indicators of an ongoing or forming vendor relationship. Armorblox automatically detects and identifies vendor and supply chain relationships in real-time based on contextual information and language and behavior signals indicative of a vendor relationship. These vendor relationship behavior baselines are created and monitored through various signals including, business email workflows involving invoices, wire transfers, or bank account information, new product or service confirmation emails, and communications around contract negotiations.
Through continuously monitoring these business workflows, Armorblox accurately identifies both trusted and new vendors to create organization-specific growing databases of vendors and third-party contacts. With around-the-clock monitoring and risk analysis of over 50,000 vendors’ communication patterns and behaviors, Armorblox ensures customers can always communicate with confidence.
Armorblox assesses each vendor’s risk to prevent vendor fraud attacks
Armorblox automatically creates risk profiles for each vendor based on the history of compromise, communication patterns, and email security hygiene. Armorblox utilizes these profiles to highlight the high risk vendors and businesses, at an organizational level, for quick identification into which vendors are more vulnerable to being compromised and are a high risk to the organization for continued communication. Security teams can see a list of all vendors in communication across the organization, and the associated risk level in a single view, and take preventative measures accordingly. Whether informing internal teams of the caution necessary for ongoing communication with a higher risk vendor, or the need to cease all communications until compromised vendors rectify vulnerabilities, Armorblox provides the birds-eye view so organizations can protect end users and the company from vendor fraud and supply chain attacks.
Some of the signals that Armorblox looks for to monitor vendor risk include:
- Attackers interjecting on sensitive business workflow email threads
- Requests for change in bank account information
- Look-alike vendor domains and spoofed vendor contacts
- Vendor history of compromise
- Domain email security protocol status failures
- Sensitive workflow cadence
- Unusual invoices
- Sensitive information being requested with no prior context
The Power of Armorblox in Action
Each vendor fraud attack and vendor compromise attempt detected and stopped by Armorblox automatically increases the risk score of the associated vendor. Below, we see an example of a vendor account compromise attack that Armorblox successfully quarantined, preventing any customer from falling victim to this targeted attack.
The above email was crafted to look like it was being sent from Artemis Fowl, a main contact at the trusted vendor account, Foxtrot. Armorblox accurately detected that Artemis’s account had been compromised based on a variety of communication and behavior signals, including the extremely suspicious and urgent request to change banking details over email, sensitive financial language and content included, and unusual behavior between the sender and receiver contacts based on low communication history.
Given communication patterns and the financial content shared within the email, Armorblox determined that this was an unusual communication, along with the myriad of other signals that are used to determine fraud - and in this case a vendor account compromise. Additionally, the Foxtrot vendor account had not communicated with the target organization in this kind of manner prior, creating a behavior signal indicative of fraud. Events like these increase the risk score of a particular vendor, and we see below that the vendor risk score of Foxtrot reflects this recent account compromise attempt Armorblox detected.
The risk score assigned to each vendor is a combination of the number of vendor fraud and supply chain attacks this vendor is associated with, and signals that indicate poor security hygiene. Armorblox detects three main types of vendor fraud and supply chain attacks:
- Vendor Impersonation: Attackers create a look-alike domain with the goal to impersonate the legitimate domain of the trusted vendor.
- Vendor Spoofing: Email appears to be coming from the vendor but in reality the email is being spoofed. The from email header is being manipulated to appear like the email is being sent from a trusted vendor contact.
- Vendor Account Compromise: A vendor’s email account is compromised and is being used by bad actor(s) to send targeted email attacks to end users across the target organization.
Armorblox protects end users from these attacks through automated remediation actions, such as removing the malicious email from employee inboxes before he or she can engage, and protects organizations from significant financial loss. Accurate identification of when vendor-related business workflows have been compromised requires email security solutions that understand language as a signal. Armorblox understands the content and context of email communications, understanding the patterns and narratives that attackers commonly craft when defrauding victims:
- Billing account update requests
- Fake invoices for a service or product
- Hijacking a payment-related workflow and providing updated banking information
- Credential phishing attacks disguised as a link to review account document
Armorblox Vendor and Supply Chain Attack Protection provides sophisticated protection against these types of targeted attacks, that use language as the main attack vector with the goal to exfiltrate sensitive information or financial gain.
Customers benefit from Armorblox Vendor Compromise and Supply Chain Attack Protection in a number of ways, including:
- Enhanced Detection: Protect against vendor fraud attempts and supply chain attacks on the organization such as invoice fraud, look alike domains, or hijacking payment-related email threads.
- Continuous Monitoring: Immediate protection against compromised accounts with around-the-clock monitoring and risk analysis of over 50,000 vendors.
- Improved Security Posture: Prevent loss of money, sensitive credentials, or confidential data over email with continuous risk assessment of vendors and third-party contacts, based on behavior models.