Armorblox is now part of Cisco

Articles & Thought Leadership | 9 min read

Understanding Financial Supply Chain Compromise


Lauryn Cash
Lauryn Cash

Financial supply chain compromise can lead to millions of dollars in losses—and it can happen to anyone. Learn more about this critical security issue.

Understanding Financial Supply Chain Compromise

Regardless of the size of your business, you have a supply chain to maintain. Tangible or otherwise, many things flow to, from, and through your organization, including goods, information, and finances. Unfortunately, this last category is susceptible to an increasingly common cyberattack known as financial supply chain compromise.

Supply chain compromise of any type is a big deal – so big that the federal government is taking action against it. On May 12, 2021, President Biden signed Executive Order 14028—an order related directly to software supply chain security.

Financial supply chain compromise, in particular, is a troublesome threat that continues to increase and can lead to thousands or even millions in monetary losses. This guide will look at this cyberattack, how it works, the four common types of financial supply chain compromise attacks, and how to protect end users and organizations from compromise.

What is Financial Supply Chain Compromise?

Financial supply chain compromise is a form of Business Email Compromise (BEC) in which threat actors impersonate third-party partners such as vendors or suppliers. The goal? To infiltrate the supply chain and trick employees into sending them money.

By impersonating a well-known (or unknown) vendor or third-party contact, bad actors can convince an accountant or AP clerk to complete a wire transfer, change a vital bank detail, or fulfill a fake invoice.

These tactics can lead to financial loss for companies, regardless of size. For example, according to the FBI’s 2021 Internet Crime Complaint Center (IC3) report, BEC complaints totaled almost $2.4 billion in losses – and that only included the crimes that businesses reported.

While not all of these complaints were related to financial supply chain compromise, the lure of financial gain makes this threat a growing concern.

How Does a Financial Supply Chain Attack Work?

In the past, cybercriminals attempted to impersonate high-ranking internal employees to gain access to the financial supply chain. However, malicious actors have recently started posing as third-party vendors or consultants. This strategy turns out to be more effective because:

  • A third party is more likely to contact an employee than an executive
  • The average employee may not have insight into every third-party contact

With these advantages in mind, bad actors masquerading as known contacts have managed to compromise accounts and impersonate trusted contacts to siphon money from organizations of every size.

Ultimately, financial supply chain attacks work because the employees behind the payments are human. Vendors and third-party contacts are trusted individuals across the companies they work with—and bad actors understand this.

Organizations need protection from financial supply chain attacks because bad actors take advantage of this trust. Adding an extra layer of email security protects against these targeted attacks by reducing human mistakes.

Types of Financial Supply Chain Compromise

While each type of financial supply chain compromise has the same objective—theft—the approach can vary. Broadly speaking, there are four varieties of financial supply chain attacks. Let’s take a brief look at each of them.

Vendor Email Compromise

Perhaps the most common form of financial supply chain attack, vendor email compromise (VEC), occurs when a threat actor gains access to a vendor’s email account. When vendor accounts are compromised, these takeovers result in bad actors hijacking business email workflows for a variety of vendor- or supplier-related communications.

With access to a trusted vendor or third-party account, bad actors can use this account to contact your organization with a request for payment and a new set of banking details. Attackers can also send updated banking information, resulting in wire fraud, by hijacking a payment-related business workflow, legitimizing the fraudulent request.

Vendor email compromise can be challenging to recognize, as the incoming email comes from a trusted source. The best way to identify vendor email compromise is to analyze the message’s language against previous communications to judge the authenticity of the request.

Vendor or Third-Party Impersonation

Vendor or third-party impersonation is a slightly different form of attack. Instead of taking control of a vendor’s account, a cybercriminal pretends to be a vendor, consultant, or supplier by mimicking them. Attacks can target unsuspecting victims by impersonating trusted sender emails and domains:

  • Look-alike domains: Bad actors register look-alike domains aimed to impersonate companies to leverage the credibility of well-known brands. Intentionally misleading, look-alike domains can provide victims a false sense of trust that they are interacting with a legitimate brand; oftentimes leading to the exfiltration of user credentials or sensitive business data. For example, and (the second one has an upper case i instead of a lowercase L - hard to notice easily.)
  • Header Spoofing: Here the attacker uses mail services like SendGrid or other providers to spoof the mail header to make it look like the mail came to the user from an individual or brand that they know or trust. In these attacks, bad actors forge email headers so that email software displays the fraudulent address of the sender. If victims see a name that they recognize, they are more likely to engage and trust the email came from a legitimate source. Unfortunately, this leads to unsuspecting victims clicking on malicious links within the email body or attachments, opening malware attachments, or sending sensitive data.

These tactics can be tricky for humans to recognize and can often be missed with a simple eye test, especially since email clients often hide a sender’s full email address. In addition, messages seen on mobile can be particularly challenging due to screen size and formatting differences.

Keep in mind that vendor or third-party impersonation can also occur via text, phone call, DM, or fax.

Third-Party Reconnaissance Attacks

Third-party reconnaissance is similar to an impersonation attack in that it involves mimicking a vendor or third-party contact, but there’s an extra step.

Before an attacker can successfully convince their target that they are who they say they are, they have to gather information to seem legitimate. This can involve social engineering, network probing, and even physical surveillance tactics. If the threat actor can’t use these methods, they’ll typically turn to publicly available content to learn how to mimic the vendor. This act of doing research is where the “reconnaissance” part comes in.

Once an attacker is confident in their mimicking abilities, they’ll contact their target.

Because third-party reconnaissance attacks rely on public information, you can protect against them by keeping vendor partnerships and former contracts private. Unfortunately, some data will always be public—which is why an email security solution keeps you safe from these types of targeted attacks.

Blind Third-Party Attacks

With a blind third-party attack, the cybercriminal does not know the customer-vendor relationship. This lack of information sets the blind attack apart from the abovementioned varieties. In those cases, the attacker knew a relationship existed, even if they were unaware of the status of accounts payable.

Essentially, blind attacks are a shot in the dark—a vaguely official-looking email with a request for money. Bad actors impersonate well-known vendors or third-party contacts that might reasonably have an existing relationship with the target organization or end user.

Guard Against Financial Supply Chain Compromise Attacks With Armorblox

Businesses of all sizes often deal with dozens of vendors daily, and finances are a frequent topic of conversation. Most third-party communications will be completely benign, whether a quote, an invoice, or a request to modify accounting details – but some of them won’t be.

Armorblox automatically identifies compromised accounts by continuously monitoring over 50,000 vendors in communication across organizations. Immediately pinpointing vendor and supply chain attacks prevents end users from receiving email communications from compromised vendor or third-party accounts, protecting organizations from becoming victims of financial loss.

Take our short product tour to learn more about how Armorblox protects organizations from vendor and supply chain attacks.

Take Product Tour

Experience the Armorblox Difference

Get a Demo