Protecting Your Organization Against Vendor Fraud and Supply Chain Attacks

Lauryn Cash
Written by Lauryn Cash
Threat Research /
Protecting Your Organization Against Vendor Fraud and Supply Chain Attacks

Interacting with vendors has become an everyday part of doing business. And through these frequent interactions, many of us build a certain level of trust with our vendors over time. Sadly, bad actors are counting on this trust, eager to exploit it.  For organizations that work with vendors and suppliers, it is important to take the necessary precautions to protect your organization against vendor fraud and supply chain attacks.

According to the 2022 Email Security Threat Report, the Armorblox research team saw a 73% increase in financial fraud email threats year-over-year from 2021 to 2022. And 44% of these financial fraud attacks were sophisticated, targeted attacks such as wire fraud, invoice fraud, or vendor fraud.

Below we will share the three types of vendor fraud attacks that can happen and the warning signs. We will also examine real-world instances of vendor fraud that were stopped by Armorblox, including the ways these attacks can easily bypass your native email security controls.

Three Types of Vendor Fraud Attacks

  1. Look-alike Domains
    Bad actors register look-alike domains aimed to impersonate companies to leverage the credibility of well-known brands. Intentionally misleading, look-alike domains can provide victims with a false sense of trust that they are interacting with a legitimate brand; oftentimes leading to the exfiltration of user credentials or sensitive business data. For example, walmart.com and waImart.com (the second one has an uppercase i instead of a lowercase L - hard to notice easily.)
  2. Header Spoofing
    Here the attacker uses mail services like SendGrid or other providers to spoof the mail header to make it look like the mail came to the user from an individual or brand that they know or trust. In these attacks, bad actors forge email headers so that email software displays the fraudulent address of the sender. If victims see a name that they recognize, they are more likely to engage and trust the email came from a legitimate source. Unfortunately, this leads to unsuspecting victims clicking on malicious links within the email body or attachments, opening malware attachments, or sending sensitive data.
  3. Account Compromise
    An account compromise happens when bad actors gain access to legitimate accounts in order to exfiltrate data, steal credentials, or for financial gain. When vendor accounts are compromised, these takeovers result in bad actors hijacking business email workflows for a variety of vendor- or supplier-related communications:
    • Sending an email from the compromised vendor account with information on a new distribution list or email address that must be used for all subsequent communications, resulting in all ongoing communications going directly to the bad actor’s preferred email address.
    • Sending a link to documents that requires a login to view, leading to sensitive user credentials being compromised.
    • Hijacking an email thread regarding an invoice awaiting payment with updated bank number and account information, resulting in payment fraud as soon as the payment is successfully sent to the bad actor’s personal bank account.
    • Sending an email from the compromised vendor account containing new instructions for wire transfers, leading to wire fraud and all subsequent payments being made directly to the bad actor versus the legitimate vendor.

Vendor Fraud Examples in the WILD

RFQ (Request for Compromise), Attack Summary

Vendor Fraud Attack Type: Look-alike domain

Mailboxes: More than 4,000 mailboxes

Email Security Bypassed: Microsoft Office 365

Below, we see an example of a look-alike domain, vendor fraud attack. In preparation for this attack, the attacker created a new domain countyoofnapa.org to impersonate the actual domain for Napa County, countyofnapa.org. Assuming the identity of a Napa County Purchasing Manager, the attacker sent an email that looks like a legitimate request for a quote for a list of items.

Img

Fig 1: Look-alike domain, vendor fraud attack that would have resulted in payment fraud

For vendor fraud attacks like these, upon receiving the quote from the unsuspecting victims, the attacker coordinates the shipment of these items on a fraudulent NET30 payment method. Once the vendor realizes the fraudulent payment, the attacker has already received and resold these items; unresponsive to any ongoing communications, the vendor will never receive proper payment.

Since this spoofed domain was registered (DNS Lifetime of 2 months, according to Armorblox Research Team), email security solutions that look at the legitimacy of domains would not have caught this vendor fraud attack. Organizations require email security solutions, such as Armorblox, that look at language as a signal for fraud in order to stop targeted attacks, such as this look-alike domain attack. By understanding the content and context of email communications, Armorblox identified the ‘request’ being made as well as the low-communication history between the sender and receiver; successfully preventing this vendor fraud attack from landing in the customer’s inbox.

Urgent Request for Compromise, Attack Summary

Vendor Fraud Attack Type: Look-alike domain

Mailboxes: More than 3,100 mailboxes

Email Security Bypassed: Microsoft Office 365

Below, we see another example of a look-alike domain, vendor fraud attack where the attacker is impersonating a project manager at The MH Companies. The attacker spoofs the project manager's true email address and creates a new domain of accpayable.com, in order to execute this targeted attack. Impersonating the project manager, the attacker sends a fraudulent payment request for an urgent transfer.

Img

Fig 2: Look-alike domain, vendor fraud attack that would have resulted in wire fraud

The attacker aimed to instill a sense of urgency within the unsuspecting victim, and take advantage of his or her emotion, in an effort to get a response. For multifaceted attacks such as these, once the victim responds the attacker provides bank account and routing details, resulting in wire fraud.

In this example, the spoofed domain was also registered (DNS Lifetime of 4 months, according to Armorblox Research Team) meaning email security solutions that look at the legitimacy of domains would not have caught this vendor fraud attack. Email servers have no way to tell if the sender address of an email is legitimate or spoofed, and look-alike domains can trick unsuspecting victims at a quick glance. The email sender and domain crafted by the attacker were intentionally longer in length, in the hopes to trick victim(s) who could only see the beginning of the sender address, Eddie Keyes <eddiemhlighting.com…>, depending on the device used to open and read the email. By understanding the content and context of email communications, Armorblox protected the end users from falling for this tricky craftsmanship and identified low-communication history between the sender and receiver; successfully preventing this vendor fraud attack from landing in the customer’s inbox.


Learn how to prevent vendor fraud and see if your current email security product protects your organization from targeted vendor fraud attacks.

Download Whitepaper

Read This Next