Outsmarting Vendor Email Compromise

How to Protect Your Business from VEC Attacks

You are most likely already familiar with the term Phishing, but have you heard about a more advanced form, Vendor Email Compromise (VEC)? This sophisticated form of phishing, leveraging compromised vendor relationships, poses a unique and significant risk for businesses. Understanding and mitigating this threat is vital for maintaining the security and integrity of business communications. In this article, we’ll cover what VEC is, provide a real world example of how it is executed, and how you can protect your business from it.

DALLE Vendor Email Compromise Image

Understanding Vendor Email Compromise

VEC is a targeted type of Business Email Compromise (BEC) phishing attack where attackers gain access to a vendor’s email system and exploit existing trust between the vendor and their clients. This approach differs from traditional phishing by leveraging established business relationships.

Mechanism of Attack

Initial Compromise: Attackers breach and gain unauthorized access to a vendor’s email account.

Domain Mimicking: They create a deceptive email address that closely mirrors the legitimate one, often with subtle changes that can be easily overlooked.

  • Real Email Address: johndoe@thevendor.company.com
  • Deceptive Email Address: johndoe@thevendor-company.com

Continuation of Existing Threads: The attacker continues ongoing email conversations (copying and pasting historical threads), making requests for sensitive information or payments. This seamless continuation makes the fraudulent emails highly convincing.

Exploitation of Trust: Businesses, trusting their vendor, may not suspect the compromise, increasing the risk of falling for the scam.

Real-World Example of a VEC Attack

Background

Imagine a medium-sized company, “ABC Corp”, that regularly does business with “The Vendor Company”, a trusted vendor. They have been working together for years, and their communication primarily occurs via email.

The Attack Begins

  1. Initial Breach: Unbeknownst to XYZ Supplies, their email system is compromised by a cyber attacker. The attacker gains access to their email database, including ongoing email threads with various clients, including ABC Corp.
  2. Email Spoofing: The attacker creates a new email address that closely resembles a legitimate XYZ Supplies email address. For example, if the original email was john.doe@xyzsupplies.com, the attacker might use john.doe@xyz-supplies.com.

ABC Corp’s Experience

  1. Continuation of Communication: An employee at ABC Corp, Sarah, receives an email from the spoofed address. The email seamlessly continues an existing conversation thread about a recent order. It appears to be from John Doe at XYZ Supplies, discussing details that only John would know. This familiarity and continuity make the email seem entirely legitimate.
  2. Request for Payment: The email from the fraudster requests a payment for the recent order, citing a change in bank details due to ‘internal auditing’. The new bank details are provided in the email.
  3. The Deception: Sarah, recognizing the email thread and not suspecting any foul play, processes the payment as requested. The email’s professional tone and accurate information about the order make her unaware that she’s communicating with a fraudster.

The Discovery

  1. Delayed Realization: It’s only weeks later, during a routine follow-up call with John Doe, that Sarah realizes the discrepancy. John mentions never receiving payment, and Sarah refers to the email about the bank change. John immediately recognizes this as fraudulent, as XYZ Supplies had not changed their bank details.
  2. Investigation and Outcome: ABC Corp investigates and discovers they’ve been a victim of a VEC attack. They realize the attacker had access to detailed information, making the fraudulent email indistinguishable from legitimate communication.

In this scenario, the combination of a familiar email thread, a subtle change in the email address, and accurate details about ongoing transactions made the phishing attempt highly effective.

Why Vendor Email Compromise is Effective

Subtlety and Trust Exploitation: Businesses typically trust their vendors and do not expect them to be the source of a cybersecurity threat. The attackers exploit this established trust.

Continuation of Existing Email Threads: The attackers continue ongoing email conversations, making their communications appear legitimate and part of normal business interactions.

Mimicked Domains: The fraudulent email domains created by the attackers are very similar to the legitimate ones, often with only minor, hard-to-notice alterations.

Persistence After Vendor Discovery: Even if the vendor detects the compromise and shuts down their email systems, the attackers can still continue their phishing efforts using the spoofed domain.

Illusion of Legitimacy: The combination of continued conversations and similar-looking email addresses maintains an illusion of legitimacy, making these scams highly deceptive.

How to Protect Your Business

To effectively protect your business from a sophisticated threat like VEC, it boils down to two major components: People and Process.

People

Enhanced Awareness

    • Regular Training Sessions: Conduct frequent training sessions to educate your staff about Vendor Email Compromise and its signs. User real-world examples to illustrate how these attacks unfold.
    • Simulated Phishing Tests: Periodically send simulated phishing emails to employees to test their vigilance and reinforce training.
    • Updates on Latest Scams: Keep your team informed about the latest phishing trends and tactics through newsletters or briefings.

Regular Vendor Communication

    • Establish Trusted Communication Channels: Regularly verify and update contact information for your vendors. Encourage the use of encrypted communication channels (where possible).
    • Vendor Security Assessments: Periodically assess your vendors’ security measures and protocols to ensure they align with your cybersecurity standards.
    • Joint Security Workshops: Organize workshops or meetings with your vendors to discuss and align on best security practices.

Process

Strong Verification Protocols

    • Secondary Confirmation Methods: Establish a protocol where any sudden changed financial or sensitive requests received via email are confirmed through a secondary method, such as a phone call to a pre-established contact or a video call.
    • Internal Approved Processes: Set up an internal approval process for financial transactions, especially for those that deviate from routine patterns.

Advanced Email Security Measures

    • Sophisticated Email Filtering Solutions: Invest in advanced email filtering solutions that can detect and lock spoofed emails and phishing attempts.

For inspiration, check out one of my past development projects that detects phishing emails: Phishing Tacklebox

Conclusion

Vendor Email Compromise represents a sophisticated, deceptive phishing attack that capitalizes on trusted business relationships and ongoing communication threads. By raising awareness and implementing strong verification and communication protocols, businesses can effectively combat this threat, ensuring their data and financial integrity.

Leave a Comment

Your email address will not be published. Required fields are marked *