Vendor Email Compromise (VEC) Explained
Definition, How VEC Attacks Work and Protective Measures.
You may know what BEC (Business Email Compromise) is, but have you heard of VEC (Vendor Email Compromise)? If your business transacts with vendors to supply products or services, VEC is a sophisticated cyberthreat you need to know about.
Vendor Email Compromise (also known as Vendor Impersonation Fraud) is a relatively new type of email scam that has taken Business Email Compromise (BEC) to a whole new level of sophistication. As the name suggests, in this type of cyberattack, the threat actors prey on employees working at vendor companies.
Vendor Email Compromise, New Milestone in the Evolution of BEC Attacks
Traditionally, a BEC attack is based upon what is commonly referred to as CEO fraud or the impersonation of an upper or middle-management employee. In this case, fraudsters contact their “colleagues” from the financial department, requesting an urgent payment and providing all the necessary details for the money to be transferred. Since the email comes from a superior and the message is transmitted with a sense of urgency, employees are likely to fall for this scam, being completely unaware the money will end up in a cybercriminal’s account.
And now, through this social engineering tactic, impostors are targeting a new niche: vendors.
More precisely, scammers are preying on employees working in a vendor’s finance department, with the ultimate goal of gathering intelligence on customers they interact with.
VEC attacks do not necessitate any more hacking skills than classic BEC attacks, but they do require the malicious actors to invest more time in the implementation. But, as we all know, great patience pays off: successful VEC cyberattacks are able to cause significant damage to a company’s partners, clients, and other key stakeholders.
How Do Vendor Email Compromise Attacks Work?
As I’ve briefly mentioned above, both BEC and VEC scams are based on social engineering. But what sets them apart is that VEC attacks are targeting a supplier’s customers, who receive what looks like realistic payment requests for an actual service they are expecting to pay for.
But how do VEC scams actually work?
Since they are highly elaborate schemes, they are conducted through multiple stages. Below you can see the main phases of Vendor Email Compromise attacks:
Attack Phases Description
Phase 1 The first phishing wave / Target: Vendors
Phase 2 Account takeover
Phase 3 Inbox monitoring
Phase 4 The second phishing wave / Target: The vendors’ customers
Phase #1. Credential stealing through phishing campaigns
Phishing is a malicious technique based on deception, used to steal sensitive information (credit card data, usernames, passwords, etc.) from users. The attackers pretend to be a trustworthy entity (usually by copying the look and feel of a big brand) to trick the victims into revealing their confidential data. If a phishing attack is successful, it means that malicious third parties managed to gather private data.
The phishing emails might pose as popular business applications, a practice commonly employed by cybercriminals. But who falls for these email scams in the first place, you may be wondering? Well, those who have not received basic cybersecurity training may click malicious links and enter their login credentials without checking if the sender and landing page are legitimate. What’s more, they are not using the proper tools to protect their business from phishing attacks.
Phase #2. Taking over the compromised accounts
During this stage, first of all, the attackers would access the employees’ hacked accounts and look for significant vendors who could be impersonated.
Secondly, they would set up email rules to forward and even redirect copies of all incoming emails from the respective vendors to the scammers’ inboxes. After these rules are created, victims are unlikely to notice any signs of someone spying on their email accounts. Thus, cybercriminals can continue their activity for a long time and evade detection.
Phase #3. The waiting game begins
VEC attacks are based on lengthy processes, during which cybercriminals harvest as much sensitive information as they need to in order to be able to masquerade as real vendor representatives. This is one of the main differences between VEC and BEC since the latter usually takes advantage of an individual’s innate tendency to respond to urgency.
During this phase, fraudsters are trying to figure out information such as:
- Vendor’s customers
- Invoice look and feel
- Customer payments due dates
- Due amounts
- Customer contacts responsible for payments
A high volume of emails floods their inbox, so these scammers are most probably using automatic tools to identify keywords related to payments and invoices rather than manually looking at each email.
Phase #4. Spear phishing emails are sent to the vendor’s customers
After cybercriminals have gathered enough information from the compromised accounts, they will start the next phase of the Vendor Email Compromise attack: crafting authentic-looking spear-phishing emails and sending them to the vendor’s customers. Just like in a standard BEC attack, the goal is to trick the victim into transferring money to the fraudster’s account.
There are three primary aspects that need to be correctly identified by VEC attackers in order for the scams to be successfully conducted:
- Vendor identity – Here, employees responsible for customer billing coming from the vendor’s side need to be correctly identified. Then, they can be impersonated in three ways:
- The fraudster logs into the compromised account directly.
- The victim’s email address is spoofed.
- The attacker registers a domain that looks very similar to the vendor’s official domain.
- Emails’ content – VEC scammers always do their best to mimic the way a vendor representative writes an email to appear more genuine and may even copy their email signature.
- Timing – Attackers need to send payment requests at the exact date that other past invoices were due at, in order not to arouse suspicion.
A Comparison Between VEC and BEC
How is Vendor Email Compromise different from Business Email Compromise and how are they similar?
Below you can find a quick comparison between VEC and BEC:
|Business Email Compromise (BEC)||Vendor Email Compromise (VEC)|
|In both cases, attackers need access to a business email account or use spoofed email addresses to trick their targets into transferring money to their bank accounts.|
|A traditional BEC attack takes place inside the targeted organization. |
Example: The fraudster impersonating the CEO asks someone from the organization to make a payment.
|Attackers break into the vendor’s email accounts and target their customers. Ironically, the initial target (the vendor) will not be affected financially at all.
Example: The fraudster impersonating an employee who works in the vendor’s financial department sends a fake invoice to the customer.
|Usually, attackers collect information about their targets from social media and other places publicly available online.||Based on multiple stages, during which the attacker gathers relevant information about the target so they can perfectly imitate them (i.e. the way the targeted employees formulate emails, email endings, email signature, etc.)|
|Scammers use a sense of urgency in their communication with the targeted customer.||VEC attacks require extreme patience. Attackers do an extensive amount of research to find out as much valuable information as they can about their targets.|
How to Protect Your Business from Vendor Email Compromise Attacks
Naturally, it will be quite difficult for anyone to identify VEC attacks, regardless if you’re a vendor or customer employee. These attacks could go on for months and months without being detected. And since traditional cybersecurity solutions are not able to pick up these types of advanced threats, a mix between human vigilance and the right security tools is what it takes to prevent and stop them before they damage your organization.
So, how can Business/Vendor Email Compromise be avoided?
1. Train your employees!
First, your staff should be able to identify the tell-tale signs of phishing (suspicious sender email address/URL, the sender is asking them to “update” their credentials or “verify” their identity, etc.). This basic knowledge can be accumulated through regular cybersecurity training, so make sure all your employees are on the same page when it comes to identifying phishing and other types of cyberattacks. Secondly, your organization should use a next-gen proactive antimalware solution, that blocks malicious links if your employees accidentally click them.
2. Implement multi-factor authentication methods
Let’s suppose your employees could not tell they were a victim of a phishing attack and that you were not using the right cybersecurity solution that could have prevented the attack.
After obtaining your employees’ credentials, attackers will now try to log in to their email accounts. So, a good method to prevent unauthorized access is multi-factor authentication. I’ve extensively written about password security best practices here, so feel free to check out this guide as well.
3. Constantly review your cybersecurity policy
Accompanied by your mandatory training should be your cybersecurity policy, so make sure you have one in place and update it whenever necessary. Don’t just keep an antiquated one that becomes obsolete as cyber threats develop. Your company’s cybersecurity policy should cover best practices that everyone must follow, as well as actionable steps your employees must take at the first signs of compromise.
What’s more, don’t forget about your remote employees. Your cybersecurity policy should have a section specially dedicated to remote workers, who may sometimes be at higher risk than your on-site staff. I encourage you to also take a look at the guide in which I explain what are the cybersecurity issues with remote work and how to address them.
4. Use a next-generation email fraud protection solution
There are certain advanced threats that can’t be detected and blocked by traditional spam filters. A standard email security solution will not be able to identify business email compromise: fake money-transfer requests, CEO impersonation/impostor emails, malicious content in historical emails, spoofed emails, etc.
This is why we’ve developed Heimdal™ Email Security, an email security solution specifically designed to quickly detect fraud, and fake invoices and that will help you save time and skip manual background checks.
Heimdal™ Email Security works as an add-on to existing spam filter solutions. It scans email content and attachments for fraudulent account numbers, invoice modifications, and signs of imposters. It’s based on Artificial Intelligence that detects the signs of the most advanced cyber threats. Furthermore, it uses more than 125 vectors of analysis and is fully coupled with live threat intelligence to find and stop Business Email compromise, CEO Fraud, phishing, and complex malware. Not only that but it’s also backed up by a live 24/7 anti-fraud specialist team.
Heimdal™ Email Security is the only next-gen email security solution in the world connected to bank systems, being capable to cross-check IBAN and Account numbers against money mule accounts.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
Business Email Compromise is one of the fastest-growing threats of today’s threatscape. As cybercriminals continue to improve their attack techniques to better evade detection, it becomes increasingly harder for you to keep your confidential data and money safe.
If you are a vendor, train your employees to be extra cautious when establishing any kind of contact with both your customers and internal stakeholders. If you are a company engaged in business relationships with vendors, the same rules apply. Without a doubt, you can never be too careful, as you never know where malicious actors and advanced cyber threats may be hiding. Yet, the good news is that your business can and will remain protected and competitive if you take into account all the necessary preventive measures.
This article was originally published by Bianca Soare in October 2019 and was updated by Antonia Din in May 2022.