The LMT Blog

Warning! Vendor Email Compromise on the Rise

Aug 12, 2020 9:00:00 AM / by April L. Sy and James Keeler

81590703_m

There’s a phishing attack out there that is stealthy and not easily detected until the damage is done. It’s called Vendor Email Compromise, and it’s worth billions worldwide.

Cybercriminals are constantly evolving their techniques and strategies to gain information about your company and its financials. Security experts are warning about a new phishing attack that is stealthy and not easily detected until the damage is done. It’s called Vendor Email Compromise (VEC), and its detrimental impact has cost unsuspecting users and businesses billions worldwide

VEC is an evolution of traditional phishing scams, often carried out by transnational crime organizations, most notoriously Silent Starling operating out of Nigeria.  VEC combines Credential Phishing and Business Email Compromise (BEC), to target an entire supply chain, making the attacks far more lucrative.  

Credential Phishing is an attempt to gain login credentials from a victim. BEC is when an attacker gains access to a business email account (often via Credential Phishing) and once in, will use the address for a variety of cybercrimes like identity theft, wire fraud, gift card fraud, social media hijacking, stock market pump & dump schemes, sending more phishing attacks, or using that account to sign up for other services that they plan to utilize for criminal purposes (often with stolen credit cards!) 

VEC Blog Article Graphic

 

How Do the Attackers Get in?

VEC attackers begin with an Intrusion Phase with targeted “spear phishing” attacks to obtain the first victim at Company A’s account credentials. Often times, these phony emails are sent asking the user to download files from Microsoft OneDrive, open a DocuSign link, or log in to view an encrypted email. The victim enters his/her credentials and the attacker now has access to the account. 

 

What Do the Attackers Do Once They’re In?

The attacker sets up forwarding or redirect rules and simply observes email exchanges to and from the victim. These exchanges gain intelligence about: 

Your Company
•  Who’s Who in the Company

Clients
•  Client Lists
•  Client Contacts Responsible for Payments 

Suppliers
•  Supplier Contacts Responsible for Receiving Payments or sending Invoices 

Behaviors
•  Day-to-Day Transactions
•  Regular Communication Patterns
•  Upcoming Payment Due Dates 

Invoices
•  What Do they Look Like?
•  What are the Due Dates?
•  Bank ACH information

 

When Does the Damage Occur?

The attackers enter the Active Phase with spear phishing emails sent to the victim’s Clients and Suppliers using the wealth of information they’ve gathered while lurking in the background. Using information obtained from emails between Suppliers or Clients, the attackers will mimic those communications with the end goal of updating payee information to the attacker’s bank account.

Sometimes this is done in one step, with a large, expected invoice being sent from Company A to Company B with changed account numbers included as the payment instructions with the invoice. Other times this starts slowly by alerting an Accounts Payable contact that Company A will be changing their banking information soon – setting the stage and enhancing the legitimacy of the upcoming fraudulent account number change to be delivered right before a large invoice is due to be sent.  

After making the payee information change, the funds are funneled into the attacker’s “mule” account; victimizing both Company A (by causing it to fail to receive the payment intended to cover the invoice) and Company B (by stealing the funds intended to pay its account balance with Company A.)  Depending on the business cycle and frequency of accounts receivable aging reporting at Company A, it might take weeks or even months for either company to notice that the payment was redirected. 

 

How Can I Protect My Business?

Harden your Email Security: Your email system may support enhanced security features which are often not enabled by default, may require additional licensing to enable, and need careful configuration to effectively reduce risk against email compromise. 

Security Awareness Training: Security Awareness Training is a key component of a Cybersecurity Program to help build up the security culture of your organization and strengthen the “human firewall.

Implement Multi-Factor Authentication (MFA): MFA will greatly reduce the ability of the attacker to gain access to your employees' email accounts.

Review your Cybersecurity Policy Regularly: Cyber-threats are constantly evolving - so should your Cybersecurity Program and the Information Security Policies that establish its foundation.

At LMT, the “VEC Stops Here!” LMT offers the following comprehensive services to start improving the cybersecurity posture of your organization today! 

  • Security Awareness Training 
  • Email Security Hardening 
  • Multi-Factor Authentication (MFA)
  • CISO Services

 

Topics: IT, security, Cyber-Security, Cybersecurity, Email Compromise, Vendor Email Compromise, VEC, Cybercrime, Cyber Crime, Silent Starling

Share on Social: