Vendor Email Compromise (VEC)

What Is Vendor Email Compromise?

Vendor email compromise (VEC) occurs when a fraudster gains access to the email account of a trusted vendor, via account takeover fraud. They then use that access to pose as the vendor and trick companies into taking certain actions, almost always involving transferring money.

Vendor email compromise is related to business email compromise (BEC) and comes under the banner of B2B (Business to Business) fraud, which has grown significantly in popularity over recent years. The FBI has stated that businesses lost $43 billion to BEC in the six years to 2022, with losses growing every year.

VEC can involve sophisticated tactics. Fraudsters often dedicate significant time and resources to researching their targets, including their clients and contacts. And these are not unfocused attacks: Cybercriminals put great effort into learning about how businesses operate, focusing on things like when they place orders, who staff members usually communicate with, and when invoices are usually sent out.

They use that information to send out convincing communications, which may even be carefully timed to maximize their chance of a successful payoff.

Vendor email compromise targets companies of all sizes. VEC attacks often originate from basic social engineering scams. Employees can be tricked into revealing login details, which leads to their email accounts being compromised. From there, fraudsters can take their time and gather intelligence to perpetuate their attack before launching it.

What is the Difference Between Vendor Email Compromise (VEC) and Business Email Compromise (BEC)?

VEC and BEC are very similar. Technically speaking, vendor email compromise is a form of business email compromise.

The key difference boils down to the target. Vendor email compromise targets access to one or more vendors’ email accounts, and in turn uses that access to target the clients and contacts of their chosen vendor. For example, a fraudster might compromise the email account of a hardware supplier, then send out fake invoices to that supplier’s regular customers.

Business email compromise usually targets the business itself. CEO fraud is an example of this: Such fraud may involve, for instance, a fraudster who gains access to (or spoofs) the email address of a CEO, before emailing the organization’s finance staff and ordering them to make “urgent” payments.

How Do Vendor Email Compromise Attacks Work?

Here’s a step-by-step example of how a vendor email compromise attack can work:

1. The fraudster sets out to gain access to one or more vendor email accounts. They use various methods to do this. They may use social engineering and phishing attacks, lead staff to malicious websites and fake login pages, use malware, or even purchase login details on the dark web.

2. Once they have access to the account(s), they will usually take the time to gather intelligence. Access to the live account allows them to build a picture of how the business works – i.e. who the regular clients are, when they order, when they usually pay, how they communicate, and so on. Cybercriminals may even study how people usually phrase their emails, in order to make their own malicious emails more convincing.

3. After gathering intelligence, the fraudsters will launch their attack. For example, they may wait until the day that invoices are usually sent out, then start emailing fake invoices with their own bank details in place of the vendor’s genuine details.

4. If the attack goes undetected, fraudsters will usually continue or scale up their efforts – targeting a wider range of the vendor’s customers or even aiming for larger financial payoffs.

The Lifecycle of a VEC Attack

Broadly, the lifecycle of a VEC attack includes five stages:

• Attempting access: The fraudster attempts to gain login details to compromise an account.
• Setting up: The fraudster gains initial access to the targeted account(s), then takes the necessary steps to maintain access and remain undetected (such as setting up automatic email forwarding so they can receive the target’s emails even after they log out, using virtual private networks, and so on).
• Intelligence gathering: The fraudster uses access to the email account to learn all they can about the vendor’s business, allowing them to build a plan to launch a convincing and successful attack.
• Initial attack: The fraudster makes their first attempt to profit from the VEC attack, usually involving requesting money from the vendor’s customers, sending out fake invoices, or altering bank details to reroute funds. They may also attempt to carry out identity theft or intellectual property theft.
• Refining and repeating: If the initial attack was successful, the fraudster performs subsequent attacks while they remain. If the victim notices and locks the fraudster out, they may escalate or broaden their attacks.

Why Are Vendor Email Compromise Attacks Often Successful?

Vendor email compromise attacks are often successful because victims have no idea they’ve been hit until money has left their accounts. Fraudsters specifically design attacks in such a way that companies don’t know they are taking place.

Fraudsters also have to do very little to gain access to an email account in the first place. It can often require no more than a successful phishing attempt. These are easy to carry out at scale, with the fraudsters then homing in on companies to which they have gained one or more forms of account access.

Another reason why VEC attacks are often successful is that fraudsters can simply move on to their next target once a vendor detects them and locks them out of their system. After all, detection doesn’t mean they are “caught”.

What Happens if You Are a Victim of VEC?

If you are the victim of a VEC attack, you will often first learn of it when customers get in touch to query unusual invoices or payment requests. These attacks can cause both reputational damage and serious disputes with trusted partners.

Say, for example, that a customer has been successfully targeted with a fake invoice or a “genuine” invoice with amended payment details. There is then a dual problem: Your customer believes that they have paid you for goods and services, but the fraudster has the money instead of your business. You are out of pocket, and so is your customer.

At this point, you also don’t know how many other customers the same cybercriminal may have targeted.

VEC attacks can lead to a significant clean-up operation, which can include legal investigations, technical work (to track down the email compromise and lock out the attacker), and possible claims on cyber insurance policies.

How to Protect Your Business from VEC Attacks

You can protect your business from vendor email compromise attacks using email lookup, cyber awareness training, technical measures, and partner communication. Let’s take a look at all four of these.

Email Lookup

By running one or more searches via an email lookup on a sender’s email address, you should be able to find out if the sender is using the real domain of the company they claim to be contacting you from, as well as whether the email address has been marked on a spam register. There are also many other benefits that email lookup tools offer, many of which are especially useful in combating VECs.

Cyber Awareness Training

The vast majority of cyberattacks originate from human error. User education around cyber awareness is therefore often the most important thing to focus on. If a fraudster is not given the chance to gain access to a user’s email account in the first place, this prevents a VEC attack from being able to happen.

Technical Measures

There are many technical precautions that IT departments can take to reduce the risk of VEC attacks. On a simple level, multi-factor authentication (MFA) can prevent fraudsters from breaking into email accounts with only a compromised username and password.

More sophisticated options also exist, such as security systems that detect anomalies in the frequency and style of emails being sent out, or technologies that monitor system logins.

Partner Communication

Awareness-building can happen beyond internal teams. For example, educating customers that they will never be asked, via email, to make payments to different bank accounts may thwart a fraudster when they first launch an attack.

All in all, the best way to protect your business from vendor email compromise attacks is to prepare your staff, your partners, and your equipment with the best possible preventative measures.

Related Terms

Related Articles