How to prevent vendor email compromise attacks

What is vendor email compromise?

Vendor email compromise attacks are when a malicious hacker attempts to impersonate or compromise a vendor's email account to deceive its customers. Customers receive emails that appear to be legitimate but, in reality, are fraudulent communications that request money, sensitive information or actions from the victim that could result in information that benefits the attacker.

VEC scams often include highly targeted phishing attacks against a vendor and its customer supply chain. These attacks have been on the rise in recent years and have cost businesses around the globe millions of dollars in losses. They also can heavily damage the reputation of the vendor and negatively affect the business relationships it has with its customers.

Vendor email compromise vs. business email compromise attacks

BEC attacks are similar, and the terms are often used synonymously. Both fall under the same umbrella, and both rely on social engineering and phishing. VEC and BEC fraud also have a similar goal, which is to manipulate victims into supplying the scammers with money or sensitive data.

Yet, BEC and VEC attacks differ in their scope and extent. BEC attacks target an organization's internal employees, namely those with access to financial accounts and systems. In a classic BEC example, an attacker disguised as the company CEO emails the company CFO or an employee with access to corporate bank accounts requesting funds be transferred to a third party -- and fast. Another BEC scenario might involve an attacker impersonating a company's third-party partner emailing the company's finance department to request an urgent payment for an invoice.

Vendor email compromise fraud, on the other hand, involves cybercriminals impersonating a trusted vendor or supplier network. Such attacks use compromised vendor accounts or create similar-looking email addresses to trick victims into providing financial or other confidential sensitive data or funds.

VEC scams are commonly more sophisticated than their BEC counterparts because the attacker conducts more research and relies on targeted information to seem more credible.

How VEC attacks work

VEC attacks vary depending on the targeted organization and how a threat actor approaches carrying out the attack. That said, most attacks follow a standard set of steps:

1. Comprehensive research.
2. Phishing attacks.
3. Account takeover and monitoring.
4. Attack execution.

1. Comprehensive research

In this stage, threat actors study the vendors they plan to exploit. VEC attacks are highly targeted compared to other email compromise attacks. As a result, threat actors comb through multiple sources to obtain information specific to the vendor they intend to target. This includes running an analysis of the business's revenue, other financial structures, customers that work with them, workflow processes and more.

The data obtained is commonly available through public resources, such as search engines and sales enablement tools. The attackers' goal is to build a profile about the intended target that mimics the vendor's partnerships and operational structure. This ensures any fraudulent email communications appear as legitimate as possible.

2. Phishing attacks

Once bad actors gather the information they need, they launch a series of phishing attacks against the target vendor's employees. The objective is to fool staffers into providing enough access information so the attacker can take over those email accounts.

This phase of the VEC lifecycle relies on malicious links and attachments designed to obtain the account information required for a takeover or, alternatively, to deploy malware to steal user email account information.

3. Account takeover and monitoring

If the phishing attacks are successful, attackers take over user accounts and create settings and forwarding rules that monitor the email inboxes for specific vendor information. This can include financial records, invoices, payment schedules and communications between the customer and vendors.

Once attackers understand the types of communications, email patterns and payment cycles that a vendor has with its customers, they copy the style and tone of that vendor to better convince its customers that the communication is legitimate.

4. Attack execution

Cybercriminals spend a lot of time and effort to carry out a full-scale VEC attack. Once attackers get a complete picture of how to deceive a vendor's customers, they move to the larger and targeted phishing campaign.

The purpose of these campaigns is to deceive customers into believing the email correspondence they are receiving comes from the vendor and not a scammer. These operations are often timed around billing cycles, where attackers can create fraudulent requests for payment. Such emails contain fake invoices or payment instructions with the goal of directing the customer to transfer money to them.

If a customer believes the emails are valid, they might follow the instructions and transfer funds to the attackers' account. Often, the attackers then disappear completely, leaving both the vendor and customer to deal with monetary losses. Other times, the criminals step up their attacks and target additional customers -- in the process, reaping even more financial gains.

How to detect and prevent VEC attacks

Organizations should take the following measures to detect and prevent vendor email compromise attacks:

• Monitor and filter email traffic. Most email service providers offer spam and phishing email filtering. Yet, relying on these filtering capabilities alone doesn't fully detect and prevent a VEC attack. Pair these with other tools, such as antimalware and email protection platforms from security vendors, to detect traffic anomalies more effectively.
• Conduct regular security awareness training. Focus on educating employees about phishing campaigns. Employees are a company's first line of defense against phishing and other email compromise attacks. Training helps employees spot phishing attempts and also gives them a path to notify IT and security teams in the event they receive a suspicious email. Also, consider phishing simulation campaigns to detect weaknesses and assess where further training is needed.
• Implement strict access and security controls. This includes using secure email gateways and other endpoint protection measures.
• Use email authentication technical controls. Implement DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication, Reporting and Conformance to authenticate emails and reduce spoofing risks.
• Require MFA. Use MFA, such as one-time passcodes or biometrics, to prevent attackers from accessing victims' email accounts, even if they have a valid username and password.

Amanda Scheldt is a security content writer and former security research practitioner.