Close
Sales
Digital Sales Rooms
Customer Onboarding
Presales Delivery
Audit & Compliance
Audit
KYC
Due Diligence
Consulting & Services
Service Delivery
Customer Onboarding
Procurement
RFx
Vendor Onboarding
Vendor Risk Assessment
Legal
Contract Negotiation
Non-Disclosure Agreement
Accounting
Accounting Client Collaboration
M&A and Investment
Deal Preparation
Due Diligence
Work with people outside of your organization
TakeTurns includes all the features you need for external collaboration
External File Sharing
Document Collection
External Document Collaboration
Confidential & Private Content Exchange
Close
Discover TakeTurns
Features
Security & Privacy
TakeTurns vs Email
Latest updates
Creating your first TakeTurns Flow™
Things you can do in a TakeTurns Flow™
Supervisors, Quick Collaboration Creation, and Usability Updates
Download our eBook
Go async
5 ways to improve how you work with people outside of your organization
Close
Read
Blog: At every turn
Guide to External Collaboration
eBook: Go async
Learn
Help Center
TakeTurns vs Email
Featured post
Ultimate Guide to Supplier Collaboration
Download our roundup of the latest thinking, research, and analysis about supplier collaboration.
Guide to External Collaboration
Collaboration 101
Procurement

What is Vendor Email Compromise (VEC)?

July 16, 2024
Frédéric Jammes
Frédéric Jammes
What is vendor email compromise?
Vendor email compromise (VEC), also known as vendor impersonation or vendor spoofing, is a type of cyber attack where cybercriminals infiltrate and take over a vendor’s email account. The attackers then impersonate the vendor to collect fraudulent payments from their customers.

How do VEC attacks work?

Vendor email compromise (VEC) attacks involve infiltrating and taking over a vendor’s email account. Once inside, attackers exploit the established trust between the vendors (or suppliers) and their customers along with content they find in the inbox to craft and send fraudulent communications. The goal is to divert payments or steal sensitive information from the vendor’s customer.  Understanding the mechanics of these attacks is useful for implementing effective risk mitigation strategies. Here's how vendor email compromise works:

  1. Attackers gain access: Criminals compromise a vendor's email account.
  2. Search inbox for potential fraud opportunities: Cybercriminals comb through the inbox (or monitor email messages) to identify which of the vendor’s customers should be targeted.  
  3. Send fraudulent messages: The attackers send emails and attachments to the vendor's customers, appearing to be from the trusted vendor. Often, new banking details, fake invoices, or shipping notices are used to divert payments.

It’s worth noting that vendors can be victimized when their customers fall victim to business email compromise (BEC).  In those scenarios, the cybercriminal, impersonating a key customer, would send fake purchase orders, payment methods, or chargebacks.

In a Vendor Email Compromise (VEC), attackers exploit trusted supplier relationships and inbox content to stage attacks

Why are customer/vendor relationships vulnerable to cyber attacks? 

VEC can happen at any time, as the exchange of sensitive information is typical during many supplier collaborations over the course of a customer/vendor relationship. Supplier collaboration where sensitive data is exchanged includes RFx processes, vendor onboarding, AP/AR reconciliations and payments, and more. 

Supplier collaborations occur between many departments within both the customer organization and vendor organization, making it normal and necessary to update contacts over time and making it easier for attackers to insert themselves without raising suspicion. 

Here's why customer/vendor relationships are particularly vulnerable to cyber attacks:

  • Reliance on Email: Most organizations rely on email for supplier collaborations. Email lacks robust security features, making it susceptible to compromise. Fraudsters can easily create emails imitating legitimate senders  (e.g., spoofing your vendor’s AR dept) or send an email from the hijacked account directly (e.g., so called account takeover attacks)  to trick customers into revealing sensitive information or acting on fraudulent information.
  • Email as a data graveyard: One of the biggest challenges is that many of the sensitive files remain in everyone’s inboxes well after the transactions are complete. Cybercriminals often use this information to increase the credibility of their communications. 
  • Multiple Parties Involved: Various departments within your company may contact various departments within your vendor organization, potentially leading to redundant requests for information. It’s hard to keep everyone on the same page and track legitimate requests. In this state of confusion, a well-crafted VEC email might appear genuine.
  • Lack of Verification: Without proper verification protocols, it can be challenging to ensure emails are coming from legitimate sources. A VEC attacker can exploit this by spoofing email addresses to appear trustworthy.

How to avoid VEC attacks

VEC is dangerous because it exploits the trust already established between a vendor and its customers. Recipients are more likely to be fooled by emails that appear to come from a familiar source. Follow these recommendations to stay vigilant against VEC attacks:

  • Be cautious of unexpected requests: Always double-check any urgent requests for changes in payment methods or account information, especially if received via email.
  • Verify sender information: Carefully scrutinize email addresses for any inconsistencies or typos. Don't rely solely on the sender name displayed in the email.
  • Pick up the phone: If an email raises any red flags, contact the vendor directly using a verified phone number to confirm the request.
  • Implement strong email security: Utilize spam filters and email authentication protocols to help prevent phishing attempts from reaching your inbox.
  • Educate employees: Train your employees to be aware of VEC scams and how to identify suspicious emails. Encourage them to report any concerns to the IT security team.
  • Use secure tools: Instead of email, use secure tools to support your supplier collaborations, especially when sharing sensitive data and files. 

By following these precautions, you can significantly reduce the risk of falling victim to a vendor email compromise attack.

How external collaboration tools help mitigate risk

From a risk management perspective, implementing risk avoidance strategies to combat VECs is tough. The reason is simple. As customers, we have no control over our suppliers’ and vendors’ email systems and vice versa. Tools like TakeTurns can mitigate risks by transforming the clutter of emails and attachments we find in traditional supplier collaborations into a structured, secure, and transparent TakeTurns Flow™.

Built-in data protections for supplier collaboration

Here's how using a Flow instead of email  helps mitigate VEC risks:

  • Participant verification: TakeTurns verifies the email addresses of all participants; only those invited to the Flow can access documents, files, and communications. 
  • Compartmentalization of communication and documents: The parties exchange content and communicate about the transaction in the Flow. This helps keep sensitive documents and files out of inboxes. 
  • Audit Trails: TakeTurns keeps things transparent. It maintains a comprehensive and indelible audit trail of everything that happens over the course of your supplier collaboration, making it easier to identify suspicious activity and difficult for attackers to cover their tracks.
  • Ephemeral storage: When your supplier collaboration is done, TakeTurns allows you to set an expiration time for shared content, ensuring that communications, documents, and files are automatically deleted from the platform after a designated period. Thus avoiding the persistence of sensitive information reduces the likelihood that it will be compromised or exploited in the event of an attack.
  • SOC2 Type 2 Certification: TakeTurns is SOC2 Type 2 certified, meaning it meets stringent standards for security, availability, processing integrity, confidentiality, and privacy. 

Final thoughts

Vendor email compromise (VEC) is a growing threat that exploits trust in supplier collaborations. By understanding the tactics attackers use and following recommended security practices, you can significantly reduce your risk of falling victim. Implementing robust email security measures, educating employees, and adopting secure tools like external collaboration platforms to support your supplier collaborations are crucial steps in protecting your organization from VEC attacks and safeguarding your sensitive information and financial assets.

TABLE OF CONTENTS
MORE TOPICS
Best Practices
Collaboration 101
Legal
Presales
Procurement
Sales
Tools

Recent articles

Supplier Collaboration Tools

The best tools for supplier collaboration

Vendor Risk Best Practices

Best practices for vendor risk assessment

Vendor Risk Assessment

What is Vendor Risk Assessment?

External Audit

What is an External Audit? Key Concepts & How to Improve

Get started today

Try TakeTurns 30 Days Free

Try all the features of TakeTurns free for 30 days, no credit card required. Send your first invitation to a TakeTurns Flow in minutes.

Contact our Sales Team

Need to discuss how TakeTurns can help you or schedule a demo? Contact our sales team.
Follow us on ProductHuntFollow us on LinkedInCheck out our YouTube Channel
Visit giveaturn.org