Table of contents

    5 Supply Chain Attacks That Started with a Phishing Email & How to Prevent Them

    Phishing is the most common attack vector and played a part in over a third of all breaches in 2021. One area where this type of attack is particularly on the rise is in the supply chain. By breaching one organization and exploiting its third-party connections, attackers can access dozens, or hundreds, of others.

    When attackers use phishing to target a supply chain, they often employ spear-phishing and social engineering techniques to make emails appear like they came from someone the recipient knows and trusts. In these vendor email compromise (VEC) attacks, bad factors follow a similar pattern:

    • First, cybercriminals launch a phishing attack targeting a vendor’s email accounts.
    • Next, they take over compromised accounts and forward all messages to themselves.
    • For days or weeks, they observe email traffic to understand how to mimic legitimate transactions successfully.
    • Finally, they begin sending fraudulent invoices to the vendor’s customers, with payment directed to their bank accounts.

    A comprehensive approach to securing an organization’s third-party communications is critical to prevent these attacks. By looking at how some of the most significant VEC attacks unfolded and what made them successful in the first place, security leaders can identify and employ the right protection strategies for their organizations.

    1. Over 500 Companies Hit by VEC Attack Ring Silent Starling

    Silent Starling, one of the most massive VEC attack rings, was discovered in mid-2019. The group based in Lagos, Nigeria, would send credential phishing attacks, take over email accounts belonging to employees within a targeted company’s finance department, and use those legitimate email accounts to trick an organization’s customers into paying fraudulent invoices.

    The attackers collected credentials from over 700 employees across 500 companies, with nearly all victims residing in three countries, the United States, Canada, and the United Kingdom. Most often, to steal credentials, the group would link phishing sites that mimicked voicemail and fax notifications, as well as Microsoft OneDrive or DocuSign login pages.

    The speed at which they were able to operate was notable. In one case, just between September 2018 and March 2019, a company was targeted by five separate phishing attacks. 39 accounts were compromised, including those belonging to branch managers, sales account executives, human resources employees, billing specialists, business consultants, and a senior executive.

    2. General Electric Employee Data Exposed After Third-Party Data Breach

    General Electric (GE), an organization with 205,000 employees across its subsidiaries, was also the target of a third-party vendor compromise. Between February 3 and 14, 2020, cybercriminals gained access to computers at one of its partners, Canon Business Process Services, which handles document processing and accounts payable for many large corporations.

    The bad actors managed to take over a Canon email account following a successful phishing attack. They were thus able to access sensitive information on current and former GE employees and beneficiaries, including birth and death certificates, direct deposit forms, tax forms, and driver’s licenses.

    While GE’s systems were never breached, bad actors gained access to a considerable amount of information that could be sold in underground criminal forums or used for targeted phishing attacks.

    3. Phishing Attack on Managed Health Services Vendor LCP Transportation

    Managed Health Services (MHS) of Indiana Health Plan found itself in a similar position as GE in 2018. Several employees at one of their vendors, LCP Transportation, responded to targeted phishing emails that gave cybercriminals remote access to their accounts for over a month. Information in these email accounts included names, insurance ID numbers, addresses, dates of birth, dates of service, and medical conditions. In all, the breach affected some 31,000 MHS policyholders.

    4. 110M Target Consumers Affected After Vendor Breach

    One of the most significant supply chain attacks was the one against Target in 2013, exposing the credit card and personal data of more than 110 million customers. The attackers sent malware-infected phishing emails to a Target HVAC subcontractor, Fazio Mechanical Services. This way, they were able to gain access to Target's network using stolen vendor credentials. From there, they were able to also steal 40 million credit and debit records, a data breach that ultimately required Target to pay an $18.5 million settlement.

    5. Trezor Cryptocurrency Wallet Holders Attacked After Mailchimp Compromise

    Email marketing company Mailchimp was the victim of a successful social engineering phishing attack in early 2022. The attack enabled cybercriminals to access over 300 Mailchimp accounts and export the mailing lists of 102 accounts.

    One of Mailchimp’s clients, cryptocurrency wallet company Trezor, had its mailing list stolen and used to send out fake emails that its servers had been hacked, and that users had to update their Trezor Suite, as well as set up a new PIN, complete with a link. The link and what users subsequently downloaded was malware that gave attackers full access to the victim’s wallet.

    How to Mitigate the Risk of a Supply Chain Phishing Attack or VEC

    While organizations might not be able to completely eliminate supply chain attacks, there are steps they can take to reduce their risk of VEC attacks significantly.

    Vet Vendors 

    It is not uncommon for companies to develop a level of trust where they don’t vet their supply chain. However, if organizations cannot vet and verify their suppliers' business practices, they take a significant risk.

    Mapping out all connections for an organization is a wise exercise in understanding potential ways a bad actor might find their way in and where an organization needs to focus its efforts on lessening risk.

    In addition, all vendors should be audited for their access to the network and whether that access is necessary. Limiting supplier access and application privileges can help prevent a VEC attack.

    Organizations should also consider what security audits and certifications a vendor may be subject to (i.e., PCI for payment processors, SOC 2/2+/3 for cloud providers, etc.). Assessing these can indicate whether the supplier takes security and adherence seriously or not.

    Invest in Security Awareness Training

    Bad actors are constantly changing their phishing attack tactics, and when organizations do not offer their employees regular cybersecurity awareness training, they increase their attack surface. Employees can play an essential role in protecting an organization’s data and processes from compromise. If they are informed about the latest social engineering attack methods or email threats, they will know what to look out for, what to do, and what not to do.

    Adopt Machine-Intelligent Email Security Solutions

    An effective supply chain attack protection depends on having the right email security solution. Because VEC attacks are highly-targeted and do not include traditional indicators of attack, implementing a secure email gateway is not enough. This traditional defense method cannot protect against sophisticated attacks that rely on social engineering.

    Mitigating compromised supply chain risks requires a new approach to securing an organization’s third-party digital communications. A machine-intelligent email security solution can detect and stop threats before they even reach employee inboxes. These solutions use a multi-layered analysis approach (attack surface, relationships and behavior) to identify and stop advanced phishing and other other emerging cyber threats at first sight.

    To find out more about how you can protect your organization against supply chain attacks, download for free The Clear & Complete Guide to Smarter Email Security: