How to Prevent Vendor Email Compromise (VEC) Attacks

Vendor email compromise (VEC) is a particular type of business email compromise (BEC)—a large subset of cyberattacks that involve the spoofing or impersonation of a business email address in order to defraud the company and its employees, clients, or partners. BEC attacks can take many different forms, and VEC is among the most sophisticated.

VEC attacks involve high levels of social engineering, with bad actors going to great lengths to trick companies into making payments. Just between July 2020 and June 2021, there has been a 156% increase in the number of companies that had faced a VEC attack. This constant barrage of VEC attacks is already taking a massive financial toll. The FBI reported that socially-engineered email attacks caused $2.1 billion in lost revenue in 2020 alone.

Falling victim to such email attacks can be debilitating for any organization. Not only does the company lose the money, but they can also experience reputational damage and operational losses. Protecting against these types of threats should be a top priority for any company.

How Vendor Email Compromise Attacks Work

VEC attacks are highly elaborate and detail-oriented, and often take weeks or months to unfold. The attackers strive to perfectly imitate vendors, increasing their chances of tricking users into paying fraudulent invoices. Most VEC attacks take on a similar pattern:

• First, the cybercriminals launch a phishing campaign to compromise a vendor’s email accounts.
• Second, they take over compromised accounts and forward all messages to themselves.
• Third, they observe the vendor’s email activity to allow for successful imitation.
• Fourth, they send fraudulent invoices to customers and ask for the money to be sent to a bank account under their control.

Stage 1: Credential Stealing through Phishing Campaigns

The first step for VEC attackers is to infiltrate the vendor’s email accounts. They can achieve this by employing several phishing campaigns. First, the attackers identify a wide list of potential targets, all companies that sell products or services to other businesses. Then, they send fraudulent emails to employees from those companies, many of which contain malicious links. Unwitting employees may open these links or provide essential credentials like usernames and passwords without checking if the sender and landing page are legitimate. This essential data gives attackers the window they need to infiltrate and compromise the vendor’s email accounts.

Stage 2: Compromised Account Takeover

Once attackers have gathered the credentials necessary to infiltrate a company’s email accounts, they can take over accounts and surveil communications. They will then set up rules that auto-forward all emails to a mailbox created for this specific purpose.

Stage 3: Inbox Monitoring

VEC attacks are often slow and methodical. To successfully pose as a real vendor, cybercriminals need to find out as much valuable information as they can about the vendor’s standard business practices. Once they’ve compromised email accounts and established a method for surveilling, they’ll spend weeks or even months observing regular interactions and noting patterns of communication behavior.

The attackers are especially interested in the vendor’s relationships with customers as this is the area they’ll soon attempt to exploit. They’ll make note of who those customers are, giving them a list of potential targets for when the attack enters its final phase. They’ll also observe the format, appearance, and due amount of invoices, as well as the standard due dates for particular services from each client. They’ll also check which specific employees at the client companies are responsible for handling invoices, ensuring their future attacks will be realistic and precise.

Stage 4: Sending Spear Phishing Emails to the Vendor’s Customers

After this careful observation, the criminals move on to launch their final attack on the vendor’s customers. This is where their extensive work pays off in the form of massive payments. By pretending to be an agent from the vendor and sending realistic invoices, the bad actors can extract substantial sums from various companies.

Attackers identify the employee who is responsible for communicating with a particular customer. Then, they create an email and invoice that match the style of the employee in question. Finally, they send the email at the same time that the vendor typically bills the client. These fraudulent emails will ask customers to direct their payments to a new bank account that is under the cybercriminals' control. If the employee who receives the email remains unsuspicious and sends the money to the desired account, the attack was successful.

Why VEC Attacks Are So Successful

Vendor email compromise attacks are often successful because they evade traditional secure email gateways. These conventional email security systems look for known indicators of compromise, such as bad reputation, suspicious links, and malicious attachments. When cybercriminals impersonate a vendor and request money from a customer, their emails might not contain none of these red flags. This allows the messages to end up in an employee’s inbox without detection.

The realistic nature of VEC emails also makes them difficult for employees to identify. Most users have been trained to spot obvious signs of fraud like suspicious links and sketchy requests for credentials. Emails that perfectly imitate actual vendors won’t attract the same type of scrutiny.

How to Prevent VEC Attacks

Cyberattacks have become increasingly complex in recent years, and this sophistication is evident in vendor email compromise attacks. Cybercriminals spend months monitoring a compromised vendor before defrauding an unsuspecting company. To prevent VEC attacks, defenders must do everything they can to detect and stop fraudulent emails from reaching their employees' inboxes. The key is to maintain a proactive approach to email security. With the right combination of awareness training for their employees and machine-intelligence systems for their technological defenses, security leaders can successfully avoid an attack.

Phishing Awareness Training

By educating employees about phishing tactics and campaigns, organizations can give them the tools they need to fend off many types of BEC attacks. Employees will be better equipped to spot content designed to trick them into giving up credentials.

When it comes to vendor email compromise, these training efforts will have the biggest impact on vendors. Most VEC scams begin with a phishing attack on the employees at a prominent vendor. If organizations bill other companies on a regular basis, then their employees could be targeted by VEC attackers.

Machine-intelligent Email Security

Machine-intelligent email security solutions like xorlab ActiveGuard can give organizations the best possible chance of identifying VEC attacks. These programs operate by understanding the local context, communication relationships and behavior within an organization. Their ability to identify subtle deviations from typical behavior makes them much more effective than a traditional email security system. A VEC attack typically hides within seemingly normal email correspondence. Machine-learning programs can spot the subtle distinctions that mark a malicious email, and thus identify and stop potential threats.

If you want to learn about how xorlab ActiveGuard can defend your organization against VEC attacks, request a demo today.