A case of vendor email compromise (VEC).
N2K logoMar 23, 2023

Vendor email compromise (VEC) amounts to a supply chain attack.

A case of vendor email compromise (VEC).

Abnormal Security describes an attempted vendor email compromise attack (VEC) that tried to steal $36 million from a commercial real estate company. The attackers posed as a trusted contact at an insurance firm, sending the phishing emails from a domain that ended in “.cam” instead of “.com.” The phishing emails contained phony invoices:

“[T]he only piece of this email that was different from what the target would typically expect in an invoice was the wiring instructions, which directed the recipient to submit payment to a company called Forever Home Title in Tampa, Florida. Extremely close inspection of the wiring instructions show minor discrepancies, like the “Reference: Name,” instead of “Reference Name” and the missing state in the disclaimer text. But again, only someone who was expecting an attack would likely look for these minor issues.”

Why VEC attacks succeed.

Erich Kron, Security Awareness Advocate at KnowBe4, commented on why vendor email compromise succeeds. Like other forms of social engineering, VEC works because it identifies and then abuses a relationship of trust: 

"Successful attacks such as this are generally successful because they exploit the trust between known entities and create some sort of an emotional reaction that helps them avoid detection. By using the names of people that had already been established in a working relationship, and using a domain name very similar to the real one, this attacker significantly increased the chances of their success. These attackers also used tricks to add pressure and increase emotional involvement, including the statement that ‘Sending funds by ACH will delay your ability to take possession of your new home after closing’ in the wiring instructions. 

"Cyber criminals continue to improve and refine their attack methods, making it much more difficult for the average individual to spot these attacks unless they know what to look for. For organizations that handle large amounts of money or sensitive information, policies and procedures should be in place to require confirmation of significant requests, through an alternative method such as a known good phone number or other method of communication, but never as a response to a requesting email. Employees should be educated in ways to spot things such as the minor changes in the domain names and other potential signs that something is not right, and should supplement their security awareness training with simulated phishing tests which allow the users to practice spotting these types of attacks."

(Added, 6:45 PM ET, March 25th, 2023. Ronnie, Tokazowski, Principal Threat Advisor at Cofense, commented on the trending problem of vendor email compromise:

"Vendor Email Compromise (VEC) has been a problem that has affected plagued organizations for years. This tactic initially made headlines in 2019 when a BEC actor known as Silent Starling was documented for using this tactic against vendors and organizations. Fast forward to 2023, and we have seen actors employ VEC attacks to steal not just money but physical commercial goods too. In order to facilitate the laundering of these commercial goods, organized crime groups such as Black Axe will use fake logistics companies to launder or re-sell the stolen goods.

"In order to stay protected, it’s critical to know who your vendors are and know the trusted bank account used for sending transactions. Actors have been known to reply to already-live email threads matching fonts and signatures with “updated invoices” in an attempt to exploit these known and already-trusted relationships. Verify through known phone numbers (not the one in the new email) that the change is actually needed, matches the voice of the person who is making the request, and that the action is meant to happen to prevent the fraud from happening.")