How Vendor Email Compromise Works

Team Armorblox
Written by Team Armorblox
News and Commentary /
How Vendor Email Compromise Works

You may know what BEC (Business Email Compromise) is, but have you heard of VEC (Vendor Email Compromise)? If your business transacts with vendors to supply products or services, VEC is a sophisticated cyberthreat you need to know about.

In this article, we’ll define vendor email compromise and break down how a typical VEC attack works so you know the signs to look for.

What Is Vendor Email Compromise?

Vendor Email Compromise happens when a cybercriminal takes over a recognized vendor’s legitimate email account to fool an organization into making payment information changes that ultimately benefit the criminal.

Fraudsters redirect money to bank accounts they control, convince targets to disclose sensitive information, and make them pay fake invoices. Once criminals take control of real accounts, it’s relatively easy to continue their illegal activities unabated. Supply chain partners are also at risk as these fraudulent emails can infiltrate entire industries.

VEC attacks don’t require any more tradecraft to execute than standard BEC attacks, but they do require more time spent by the cybercriminal. With great patience comes great reward: successful VEC attacks can inflict widespread damage to a business, its partners, customers, and other key stakeholders.

How Vendor Email Compromise Works

With VEC attacks, an attacker first steals the credentials of one or more employees. They then learn about the organization by reading inbound and outbound emails from the compromised accounts. Thus, VECs have two phases: dormant and active.

In the dormant phase, the attacker quietly steals credentials and then logs in from an innocuous location or IP address to set up mail forwarding rules. This phase is difficult to spot since there isn’t much suspicious activity to detect yet.

VEC In Action: The Lifecycle of a VEC Attack

Vendor Email Compromise attacks take time, with successful attacks often unfolding over a period of weeks. Here is a sample VEC attack timeline.

Img

Day 0

  • The attacker steals the credentials of an employee in the Accounts Receivable department at Company A through a phishing link, jane.doe@companyA.com.
  • The attacker signs into Jane’s email address and deletes any evidence of the phishing email that compromised her.
  • The attacker then sets up a mail forwarding rule in Jane’s account that auto-forwards all emails to a mailbox created for this purpose.

Day 1 - 14

  • The attacker reads all emails in Jane’s inbox to understand the organization’s email workflows and identify high-value targets for compromise.

Day 15

  • A legitimate vendor transaction comes into play, and Jane does her job as usual.

Img

Day 16

  • The attacker is aware of this active invoice payment request and registers the domain “Acompany.com.”

    Note: Spoofing a domain as a separate internal domain of Company A may be more successful for fraudsters than other domain look-alike attempts in the past.

    For example, if the attacker registered a domain like “cornpanyA.com” with the “r” and “n” closely mirroring an “m,” and the recipient caught this inconsistency, the gig would be up. On the other hand, a domain spoof of a likely internal domain is easier to justify in some cases.

  • The attacker sends an email from jane.doe@Acompany.com, with the original thread below the message.

Img

  • The attacker sends another email from susan.b.anthony@Acompany.com, with the original thread below the message to add additional credibility.

Img

The Danger of Vendor Email Compromise Attacks

The added danger in vendor email compromise is clear. Unlike the three weaknesses of a Business Email Compromise attack, VEC attacks have an answer for each drawback:

  1. BEC WEAKNESS: The attacker is the one that must initiate the first email, which elicits suspicion among the recipients.

    VEC STRENGTH: The attacker no longer needs to initiate an attack, as they can merely insert themselves (and their bank credentials) into a legitimate business transaction.

  2. BEC WEAKNESS: A fresh employee may feel the need to verify with a coworker or direct manager the proper protocol for corporate financial changes and transactions. Introducing a second or third pair of eyes on the request can quickly defuse the situation as a hoax.

    VEC STRENGTH: An attacker gains additional knowledge of a target organization’s best practices, standard operating procedures, writing styles, common apps, file types, social engineering, and a timeline of when VIPs may be out of office. As a result, the victims of these attacks usually don’t suspect anything nefarious because messages sent by the attacker so closely mirror what a typical employee would do or say.

  3. BEC WEAKNESS: The executive may be in the same office as the victim. If the victim has face-to-face communication with the VIP, the attack can implode.

    VEC STRENGTH: Because VECs usually occur with third-party vendors, the chances of a victim bumping into them in person are extremely low.

Why Traditional Cybersecurity Solutions Fail to Detect Vendor Email Fraud

Traditional cybersecurity solutions fail to catch these new VEC attacks because:

  • Detecting a suspicious login attempt or IP address are small signals that usually don’t warrant standalone enforcement policies.
  • Detecting look-alike domains inside a protected organization is easy, whereas the detection of look-alike domains outside of the organization is much more difficult.
  • Reading and analyzing the content and context of an email exchange is a manual process. Only an NLU platform trained on a large, accurately-labeled dataset can automate this process. Additionally, the platform would have to constantly retrain and easily classify what’s important, which is no easy feat.


    To learn more about how Armorblox stops VEC attacks, take a 5-minute product tour below.

Take 5-min product tour

Read This Next