What Is Vendor Email Compromise?

Everything you need to know about protecting your organization from VEC attacks and supply chain fraud.

What Is Vendor Email Compromise?
Three Types of Vendor Fraud Attacks
How Bad Actors Look to Exploit Vendor Business Workflows
The Broader Picture: Supply Chain Attacks
How Does Supply Chain Fraud Work?
Best Practices for Mitigating Supply Chain Attacks
Why Traditional Cybersecurity Solutions Fail to Detect Sophisticated Vendor Fraud Attacks


You may know what BEC (Business Email Compromise) is, but have you heard of VEC (Vendor Email Compromise)? If your business transacts with vendors to supply products or services, VEC is a sophisticated cyberthreat you need to know about.

In this article, we’ll cover everything you need to know about Vendor Email Compromise attacks and take a broader look at Supply Chain Attacks and best practices to mitigate these threats.

What Is Vendor Email Compromise?

Vendor Email Compromise (also known as Vendor Impersonation Fraud) happens when a cybercriminal takes over a recognized vendor’s legitimate email account. This takeover fools an organization’s employees into making payment information changes that ultimately benefit the criminal.

Fraudsters redirect money to bank accounts they control, convince targets to disclose sensitive information, and make them pay fake invoices. Once criminals take control of real accounts, it’s relatively easy to continue their illegal activities unabated. Supply chain partners are also at risk as these fraudulent emails can infiltrate entire industries.

VEC attacks don’t require more tradecraft to execute than standard BEC attacks but require the cybercrook to invest more time in its implementation. However, with great patience comes great reward: successful VEC attacks can inflict widespread damage to a business, its partners, customers, and other key stakeholders.

Three Types of Vendor Fraud Attacks

Bad actors deploy three main types of tactics across targeted vendor fraud attacks. These include creating legitimate domains to bypass incumbent security tools, spoofing trusted vendor contacts, or through a takeover of a vendor or third-party contact’s account.

  1. Look-Alike Domains

    Bad actors register look-alike domains aimed to impersonate companies to leverage the credibility of well-known brands. Intentionally misleading, look-alike domains can provide victims with a false sense of trust that they are interacting with a legitimate brand. This often leads to the exfiltration of user credentials or sensitive business data. For example, walmart.com and waImart.com (the second one has an uppercase i instead of a lowercase L - easily missed by the human eye.)

  2. Header Spoofing

    With header spoofing, an attacker uses a mail service like SendGrid to spoof the mail header to make it look like the message came from a trusted individual or brand. In these attacks, bad actors forge email headers so that email software displays the fraudulent address of the sender. If victims see a name that they recognize, they are more likely to engage with it and trust the email came from a legitimate source. This can lead to unsuspecting victims clicking on malicious links within the email body or attachments, opening malware attachments, or sending sensitive data.

  3. Account Compromise

    An account compromise happens when bad actors gain access to legitimate accounts to exfiltrate data, steal credentials, or for financial gain. When vendor accounts are compromised, the takeovers result in attackers hijacking business email workflows for various vendor- or supplier-related communications.

How Bad Actors Look to Exploit Vendor Business Workflows

There are several vendor business workflows that bad actors look to exploit, and preventing these workflows from compromise requires language-based email security solutions.

Compromised email workflows can include:

  • Hijacking email threads

  • Sending documents that require logins

  • Using compromised accounts to steal wire transfer payments

A language-based email security solution like Armorblox utilizes natural language understanding and machine learning to understand the context and content of these communications, protecting you against these attempts.

After a successful account takeover, bad actors aim to exploit everyday vendor-related business workflows that mimic communications commonly exchanged with trusted vendors, such as:

  • Sending an email from the compromised vendor account with information on a new distribution list or email address that must be used for all subsequent communications, resulting in all ongoing communications going directly to the bad actor’s preferred email address.

  • Sending a link to documents that requires a login to view, leading to sensitive user credentials being compromised.

  • Hijacking an email thread regarding an invoice awaiting payment with updated bank number and account information, resulting in payment fraud as soon as the money is successfully sent to the bad actor’s personal bank account.

  • Sending an email from the compromised vendor account containing new instructions for wire transfers, leading to wire fraud and all subsequent payments being made directly to the bad actor versus the legitimate vendor.

The Broader Picture: Supply Chain Attacks

Vendor email compromise is a form of supply chain attack (also known as supply chain fraud). Supply chain attacks occur when a cybercriminal gains access to your data or network through a trusted vendor, partner, or application that has access to your system.

This “back door” method of entry can be challenging to detect and trace, leaving many businesses nervous about just how secure their critical data is. In addition, smaller companies may be more at risk due to suboptimal security protocols.

As companies invest in more tools to defend against cyberthreats, hackers are staying one step ahead. Tools and resources to crack systems are more accessible than ever for threat actors, and supply chain fraud has become an effective and lucrative way to target not just one but hundreds or thousands of targets at once.

Targeting software developers and suppliers has become the path of least resistance for instituting a supply chain hack. When hackers have access to software updates, source codes, or build processes, they can infect legitimate apps with malware, creating a never-ending chain of attack surfaces.

Common types of supply chain attacks include:

  • Vendor email compromise

  • Third-party software updates

  • Application installers

  • Pre-installed malware on connected devices

  • Compromised code placed into firmware or hardware components

How Does Supply Chain Fraud Work?

While not necessarily easy to implement, the process of supply chain fraud is genius in its simplicity.

Phase 1: Planting

Attackers hunt for unprotected networks, server infrastructures, and unsafe coding techniques. They break in, change source codes, and hide malware in build and update processes.

Phase 2: Lying in Wait

Even legitimate software developers and vendors are usually unaware that their apps are infected with malware when they release updates to the public. The hidden malicious code then runs with the same trust and permissions as the app, since the updates and apps are certified.

Phase 3: Payoff

The malware is then unwittingly spread through the entire supply chain, enabling hackers to infiltrate additional networks to attain email addresses, login credentials, and other forms of PII (personally identifiable information). This sensitive data allows them to double down on additional cyberattacks like ransomware, BEC, and spear phishing.

Best Practices for Mitigating Supply Chain Attacks

What’s the best way to lessen the likelihood of being victimized by supply chain fraud? Follow these four best practices.

  1. Implement the Principle of Least Privilege

Excessive permissions make supply chain attacks easier to execute. Instituting the principle of least privilege ensures that the minimum number of people in your organization access your company’s critical data. Access to sensitive information should be granted on a “need-to-know” basis.

  1. Perform Network Segmentation

Like the principle of least privilege, entities outside your organization do not need access to all the sensitive information in your network. Network segmentation breaks your system into zones based on necessary business functions. If a supply chain attack compromises part of your network, the rest of the network remains protected.

  1. Adhere to Cybersecurity Best Practices

In case you needed another reminder, cybersecurity best practices are a crucial part of your overall security strategy. These include:

  • Monitoring your network for external vendor access

  • Practicing regular patch management

  • Keeping a current asset inventory system

  • Maintain strong password policies

  • Allow only authorized apps to be installed

  1. Use Email Security Software

Last but certainly not least, effective email security software is worth its (figurative) weight in gold. Not only does it spot suspicious emails and activity, but it can remediate cyberthreats exponentially faster — and more accurately — than humans can.

Why Traditional Cybersecurity Solutions Fail to Detect Sophisticated Vendor Fraud Attacks

Vendor Email Compromise can be difficult to detect and prevent, damaging your finances and your business. Protecting your company against vendor email fraud can be challenging, but consistently using the right strategies and tools can help defend your reputation, vendor relationships, and, ultimately, your bottom line.

Traditional cybersecurity solutions fail to catch these new VEC attacks because:

  • Detecting a suspicious login attempt or IP address are noisy signals that usually don’t warrant standalone enforcement policies. For example, someone logging in via a VPN or while traveling can trigger false alarms.

  • Detecting look-alike domains takes a lot of work with legacy solutions - whether it is an internal or external brand impersonation. It requires a lot of rules to be written and blocklists to be maintained and updated.

  • Reading and analyzing the content and context of an email exchange is a manual process. Only an NLU platform trained on a large, accurately-labeled dataset can automate this process. Additionally, the platform would have to constantly retrain and easily classify what’s important, which is no easy feat.

Vendor Email Compromise can be difficult to detect and prevent, damaging your finances and your business. Protecting your company against vendor and supply chain fraud can be challenging, but consistently using the right strategies and tools can help defend your reputation, vendor relationships, and, ultimately, your bottom line.

To learn more about how Armorblox stops VEC attacks, take a 5-minute product tour.

Related Resources

Whitepapers, videos, solution briefs, and more!