‘V’ for Vendor – the rise of vendor email compromise
Something’s wrong. Janine, who works in the accounts department at a stationery supplier is chasing down payments from the firm’s clients, but is getting back strongly worded phone calls and emails that they have already been paid.
Confused, Janine double-checks each account and confirms that is not the case – in fact, very few of the accounts have been settled for the month. Even more of a concern is that some of the customers have pointed out that Janine sent them two invoices, when in reality she had only sent one.
Unfortunately, Janine’s company has become the victim of a new type of email fraud: Vendor Email Compromise (VEC). VEC is an evolution of Business Email Compromise (BEC), which itself emerged as one of the most serious cyber threats facing organisations in recent years, with businesses losing more than £2.8 billion a year to scams.
Using BEC, attackers impersonate the email identity of a trusted and often senior contact within a target organisation, usually to persuade an employee to pay them large sums of money. However, this new take on BEC sees cybercriminals defrauding not just one company, but much of its supply chain.
In VEC, the attacker takes over the identity of their victim’s finance team and issues fake invoices to clients in the supply chain, at the right time when payment would normally be requested. The aim is to get the clients to pay money, often £100,000s, to the attacker rather than to the legitimate business.
A game of patience
A VEC attacker will look to target someone on the finance team of an organisation, or the managing director in cases of small-size companies, as they have the authority to send out invoices and request payments for completed services.
Once they have identified their quarry, the VEC attacker will send them a convincing email directing them to a phishing site. This will mimic a login page to Microsoft One Drive or DocuSign for example, where the victim will enter their email credentials.
The cybercriminal will then use these credentials to create a forwarding rule on the victim’s email account to send copies of any messages to or from the targeted account to their own inbox. Unknown to the victim, the VEC attacker will silently monitor these emails to gain intelligence about the victim’s clients, invoices and other financial information.
They will likely be scouting out these email conversations for weeks or months to understand how the invoicing and payments processes operate, how often requests are sent and even conversations. This information will be used by the VEC attacker to create an invoice that looks identical to the ones sent out by the victim, the only difference being the account details, which will be for a mule account connected to the cybercriminal.
To make the con even more convincing, the VEC attacker will also accurately impersonate the legitimate email message, from salutation to any personal remarks, through to the signature. So as to not arouse suspicion, the cybercriminal will then send out these emails and invoices at the same timescale as the legitimate company.
For example, if an invoice is sent out every sixty days, sending an email that asks for payment after 30 days is likely to cause the client to call the supplier, which will uncover the deception. If done well, the chances are that the client will not realise that the invoice is a fake and will authorise the payment. Of course, the payment will go into the mule account and not that of the actual supplier.
Silent Starling swoops
This new type of email fraud was uncovered by Agari’s research unit ACID while investigating a West African cybercriminal gang they’ve called Silent Starling. These crooks have infiltrated more than 700 employee accounts at 500 companies and have collected more than 20,000 emails since late 2018.
They also look to collect an organisation’s aging reports, which detail those clients who are overdue on their payments. Using this information Silent Starling will email the debtors asking for payment, sometimes offering incentives for early settlement. One such consolidated aging report found on a Silent Starling email account had more than 3,500 clients with overdue payments totalling over £5 million.
VEC creates multiple victims, not only the targeted company, but also all its customers. Therefore, action to combat VEC needs to both prevent an organisation from having its emails being compromised and falling for VEC requests for payment from infected suppliers.
To mitigate the risk of email accounts being compromised, organisations need to employ technology that can identify the phishing emails looking to capture a user’s credentials and stop them from getting to their inbox in the first place.
This is a much more effective solution than placing the burden on an employee to spot a scam email. In addition, organisations need to also be able to spot insider impersonation and whether an employee’s account is behaving normally or showing signs of being compromised by an attacker.
The danger with VEC is that it is not recognised as a risk by traditional security controls. This is because these socially engineered messages are coming from the ‘correct sender’ and are exactly the same as the real deal in every way apart from the bank details.
To ensure that they are paying genuine suppliers rather than cybercriminals, organisations need to look at identifying the criminal rather than the crime. This means using behaviour analytics to recognise the difference between a genuine sender of an email and someone impersonating them.
By taking this double-sided approach organisations can trap VEC criminals in a pincer movement to prevent them taking advantage of the supply chain.