By now, most people know about the potential threat from business email compromise or BEC. With BEC, someone in a company gets their email taken over by a hacker and the hacker uses the trust implied in that email to exploit others in the company.
“Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate the CEO or any executive authorized to do wire transfers.” As bad as BEC is, at least it threatens just a single company—the one with the compromised email.
Not being satisfied with exploiting just a single company, hackers are now taking their game to a whole new level. There is now evidence of hackers using that single email at the compromised company to exploit many companies—the companies in the compromised company’s supply chain. It makes sense, too. It’s just as easy to trust an email from an employee as one from a trusted supplier or customer.
It’s called Vendor Email Compromise (VEC) and it’s becoming a very large problem. According to Agari research, as reported by Security Week, “One of the most significant emerging threats in the cyber threat landscape is vendor email compromise. The key to these attacks is gaining access, through standard phishing, email accounts belonging to key individuals within a company’s accounts receivable or finance department. The process is slower and demands greater patience from the attacker than typical BEC attacks, but can generate greater reward.
By first compromising one email account the attacker can slowly compromise others. The data found within the emails allows the attacker to learn how the company operates, and when things happen. In particular, attackers are looking for invoice and payment patterns with an important customer. The attacker gains an understanding of a vendor’s invoicing times, processes, and customers. This intelligence enables him to create emails that are so realistic that they are virtually undetectable—and, since he has already compromised the email account, he can deliver his attack from a genuine rather than a spoofed email account. In theory, if the compromised company sends out multiple invoices to multiple customers at the same time, the scam could be perpetrated on multiple customers.”
This type of “supply chain attack” makes it so that almost no emails can be trusted. From anyone—inside or outside an organization. It has a multiplying effect in that a single email compromised at a single company now threatens dozens (or hundreds) of other companies who have a relationship with that company.
If VEC doesn’t scare you into protecting your organization, nothing will. And what is the fastest, easiest and most affordable way to protect your company from VEC and every other kind of phishing attack? Cloud-based email security from Phish Protection.
Phish Protection, with Advanced Threat Defense, is a cloud-based, integrated, email protection service suite of services that stops phishing, malware, spam and spoofing. It sets up in minutes, comes with 24/7 live technical support and only costs pennies per employee per month. Try it free for 30 days.