Vendor Email Compromise is a refined attack that builds upon BEC techniques to defraud organizations. Discover what a VEC attack looks like in action.
Vendor Email Compromise (VEC) is a type of social engineering attack where a cybercriminal impersonates a trusted vendor for financial gain. VEC attacks are elaborate, sophisticated, and take place over days or weeks to establish trust and remain undetected.
Wondering why VEC attacks are so hard for traditional security systems to catch? This article will break down the lifecycle of a VEC attack so you know the signs to look out for.
How Vendor Email Compromise Works
With VEC attacks, an attacker first steals the credentials of one or more employees. Then they learn about the organization by reading emails from the compromised accounts. Thus, VEC attacks have two phases: dormant and active.
In the dormant phase, the attacker quietly steals credentials and logs in from an innocuous location or IP address to set up mail forwarding rules. Unfortunately, this phase is difficult to spot since there isn’t much suspicious activity to detect yet.
In the active phase, the attacker creates a fake domain name and waits for a financial transaction. The attacker then inserts new bank details into existing email threads and awaits payment. After receiving payment, funds are immediately transferred to other accounts to avoid traceability.
Read more: 4 Vendor Fraud Red Flags to Watch Out For
The Lifecycle of a VEC Attack
Vendor Email Compromise attacks take time, with successful attacks often unfolding over a period of weeks. Here is a sample VEC attack timeline.
Day 0
- The attacker steals the credentials of an employee in the Accounts Receivable department at Company A through a phishing link, jane.doe@companyA.com.
- The attacker signs into Jane’s email address and deletes any evidence of the phishing email that compromised her.
- The attacker then sets up a mail forwarding rule in Jane’s account that auto-forwards all emails to a mailbox created for this purpose.
Day 1 - 14
- The attacker reads all emails in Jane’s inbox to understand the organization’s email workflows and identify high-value targets for compromise.
Day 15
- A legitimate vendor transaction comes into play, and Jane does her job as usual.
Day 16
Now the compromise enters its active phase.
- The attacker is aware of this active invoice payment request and registers the domain “Acompany.com.”
Note: Spoofing a domain as a separate internal domain of Company A may be more successful for fraudsters than other domain look-alike attempts in the past.
For example, if the attacker registered a domain like “cornpanyA.com” with the “r” and “n” closely mirroring an “m,” and the recipient caught this inconsistency, the gig would be up. On the other hand, a domain spoof of a likely internal domain is easier to justify in some cases. - The attacker sends an email from jane.doe@Acompany.com, with the original thread below the message.
- The attacker sends another email from susan.b.anthony@Acompany.com, with the original thread below the message to add additional credibility.
Why Vendor Email Compromise Attacks Are Often Successful
The added danger in vendor email compromise is clear. However, unlike the three weaknesses of a Business Email Compromise attack, VEC attacks have an answer for each drawback:
- BEC WEAKNESS: The attacker is the one that must initiate the first email, which elicits suspicion among the recipients.
- VEC STRENGTH: The attacker no longer needs to initiate an attack, as they can merely insert themselves (and their bank credentials) into a legitimate business transaction.
- BEC WEAKNESS: A fresh employee may feel the need to verify with a coworker or direct manager the proper protocol for corporate financial changes and transactions. Introducing a second or third pair of eyes on the request can quickly defuse the situation as a hoax.
- VEC STRENGTH: An attacker gains additional knowledge of a target organization’s best practices, standard operating procedures, writing styles, common apps, file types, social engineering, and a timeline of when VIPs may be out of office. As a result, the victims of these attacks usually don’t suspect anything nefarious because messages sent by the attacker so closely mirror what a typical employee would do or say.
- BEC WEAKNESS: The executive may be in the same office as the victim. If the victim has face-to-face communication with the VIP, the attack can implode.
- VEC STRENGTH: Because VECs usually occur with third-party vendors, the chances of a victim bumping into them in person are extremely low.
To learn how Armorblox stops VEC attacks, take a 5-minute product tour below.
