What is vendor email compromise? Vendor email compromise (VEC), also known as vendor impersonation or vendor spoofing, is a type of cyber attack where cybercriminals infiltrate and take over a vendor’s email account. The attackers then impersonate the vendor to collect fraudulent payments from their customers.
How do VEC attacks work?
Vendor email compromise (VEC) attacks involve infiltrating and taking over a vendor’s email account. Once inside, attackers exploit the established trust between the vendors (or suppliers) and their customers along with content they find in the inbox to craft and send fraudulent communications. The goal is to divert payments or steal sensitive information from the vendor’s customer. Understanding the mechanics of these attacks is useful for implementing effective risk mitigation strategies. Here's how vendor email compromise works:
Attackers gain access: Criminals compromise a vendor's email account.
Search inbox for potential fraud opportunities: Cybercriminals comb through the inbox (or monitor email messages) to identify which of the vendor’s customers should be targeted.
Send fraudulent messages: The attackers send emails and attachments to the vendor's customers, appearing to be from the trusted vendor. Often, new banking details, fake invoices, or shipping notices are used to divert payments.
It’s worth noting that vendors can be victimized when their customers fall victim to business email compromise (BEC). In those scenarios, the cybercriminal, impersonating a key customer, would send fake purchase orders, payment methods, or chargebacks.
Why are customer/vendor relationships vulnerable to cyber attacks?
VEC can happen at any time, as the exchange of sensitive information is typical during many supplier collaborations over the course of a customer/vendor relationship. Supplier collaboration where sensitive data is exchanged includes RFx processes, vendor onboarding, AP/AR reconciliations and payments, and more.
Supplier collaborations occur between many departments within both the customer organization and vendor organization, making it normal and necessary to update contacts over time and making it easier for attackers to insert themselves without raising suspicion.
Here's why customer/vendor relationships are particularly vulnerable to cyber attacks:
Reliance on Email: Most organizations rely on email for supplier collaborations. Email lacks robust security features, making it susceptible to compromise. Fraudsters can easily create emails imitating legitimate senders (e.g., spoofing your vendor’s AR dept) or send an email from the hijacked account directly (e.g., so called account takeover attacks) to trick customers into revealing sensitive information or acting on fraudulent information.
Email as a data graveyard: One of the biggest challenges is that many of the sensitive files remain in everyone’s inboxes well after the transactions are complete. Cybercriminals often use this information to increase the credibility of their communications.
Multiple Parties Involved: Various departments within your company may contact various departments within your vendor organization, potentially leading to redundant requests for information. It’s hard to keep everyone on the same page and track legitimate requests. In this state of confusion, a well-crafted VEC email might appear genuine.
Lack of Verification: Without proper verification protocols, it can be challenging to ensure emails are coming from legitimate sources. A VEC attacker can exploit this by spoofing email addresses to appear trustworthy.
How to avoid VEC attacks
VEC is dangerous because it exploits the trust already established between a vendor and its customers. Recipients are more likely to be fooled by emails that appear to come from a familiar source. Follow these recommendations to stay vigilant against VEC attacks:
Be cautious of unexpected requests: Always double-check any urgent requests for changes in payment methods or account information, especially if received via email.
Verify sender information: Carefully scrutinize email addresses for any inconsistencies or typos. Don't rely solely on the sender name displayed in the email.
Pick up the phone: If an email raises any red flags, contact the vendor directly using a verified phone number to confirm the request.
Implement strong email security: Utilize spam filters and email authentication protocols to help prevent phishing attempts from reaching your inbox.
Educate employees: Train your employees to be aware of VEC scams and how to identify suspicious emails. Encourage them to report any concerns to the IT security team.
Use secure tools: Instead of email, use secure tools to support your supplier collaborations, especially when sharing sensitive data and files.
By following these precautions, you can significantly reduce the risk of falling victim to a vendor email compromise attack.
How external collaboration tools help mitigate risk
From a risk management perspective, implementing risk avoidance strategies to combat VECs is tough. The reason is simple. As customers, we have no control over our suppliers’ and vendors’ email systems and vice versa. Tools like TakeTurns can mitigate risks by transforming the clutter of emails and attachments we find in traditional supplier collaborations into a structured, secure, and transparent TakeTurns Flow™.
Here's how using a Flow instead of email helps mitigate VEC risks:
Participant verification: TakeTurns verifies the email addresses of all participants; only those invited to the Flow can access documents, files, and communications.
Compartmentalization of communication and documents: The parties exchange content and communicate about the transaction in the Flow. This helps keep sensitive documents and files out of inboxes.
Audit Trails: TakeTurns keeps things transparent. It maintains a comprehensive and indelible audit trail of everything that happens over the course of your supplier collaboration, making it easier to identify suspicious activity and difficult for attackers to cover their tracks.
Ephemeral storage: When your supplier collaboration is done, TakeTurns allows you to set an expiration time for shared content, ensuring that communications, documents, and files are automatically deleted from the platform after a designated period. Thus avoiding the persistence of sensitive information reduces the likelihood that it will be compromised or exploited in the event of an attack.
SOC2 Type 2 Certification: TakeTurns is SOC2 Type 2 certified, meaning it meets stringent standards for security, availability, processing integrity, confidentiality, and privacy.
Final thoughts
Vendor email compromise (VEC) is a growing threat that exploits trust in supplier collaborations. By understanding the tactics attackers use and following recommended security practices, you can significantly reduce your risk of falling victim. Implementing robust email security measures, educating employees, and adopting secure tools like external collaboration platforms to support your supplier collaborations are crucial steps in protecting your organization from VEC attacks and safeguarding your sensitive information and financial assets.