Financial Services Organizations Experience 137% Increase in Vendor Email Compromise in 2023

The financial services industry is a prime target for cybercriminals, and it’s easy to understand why. The industry handles a wide array of sensitive personal and financial information that hackers love to get their hands on. This makes organizations within the financial services sector particularly susceptible to cyberattacks, including socially-engineered email attacks.

If last year is any indication, security leaders will need to continue to be hyper-vigilant about these kinds of attacks in 2024. According to Abnormal data, the financial services industry receives approximately 200 advanced attacks per 1,000 mailboxes each week—making it one of the most attacked industries tracked.

While the weekly average is a solid 200 attacks, peaks occurred in late January with 258 weekly attacks, in late September with 282 attacks, and in mid-December with 272 attacks. While cyberattacks generally tend to move in cycles, security leaders in this space will need to be prepared to manage continuous waves of email attacks all throughout the year.

Vendor email compromise or VEC occurs when threat actors impersonate a business provider (such as a supplier or vendor) in hopes of stealing money from that vendor’s customers—often through billing account updates or invoice fraud. Some threat actors create spoofed email accounts while others leverage compromised vendor email accounts to request these financial transfers—a tactic that is much harder to detect given the account's legitimacy.

If an employee is successfully deceived by these attacks, organizations stand to lose thousands of dollars. In fact, Abnormal has seen VEC attacks targeting millions of dollars, and even up to $36 million in one case.

Below is an example of one such attack: a $1.4M AUD VEC attack against an Australian financial holding company providing engineering and construction services. In this attack, the threat actor uses previous communication patterns and legitimate invoices to appear legitimate. We can see this through this first legitimate email, in which the Finance Business Partner at the vendor sends an invoice to the financial holding company.

The second page of the attached invoice shown below shows the banking account information included as part of this request.

While this email is legitimate, a similar email is sent a week later to the same recipients—and this time, the account has been compromised. In this email, the Finance Business Partner provides an identical invoice for $1.4M AUD, equivalent to $940,000 USD. However, in this second email, they note that the banking details have been updated and ask when the invoice will be processed for payment.

While the threat actor copied the same individuals from the vendor organization as in the first email, they made a slight change. If you look closely, the domain they used for these cc’ed email addresses was a lookalike (subtly adding one additional letter) that was created and registered just 8 days before the attack was launched. By doing so, they can reply from the lookalike domain—drastically reducing the likelihood of being caught lurking in the vendor account.

In this attachment, the information is exactly the same, except for the second page which shows different banking details, as shown here.

As you can see, this is nearly impossible to detect by both legacy email security systems and the human eye. With the email attack sent from a legitimate account with prior conversation history, no suspicious links or malware-laden attachments, and only the change in banking information to indicate an attack, there are very few indicators to show that this is an attack rather than a legitimate banking account update request.

With such high price tags, it’s concerning that VEC attacks against financial services are on the rise—especially when you consider just how important customer trust is for this industry. Trust and reputation are bedrock principles for financial services organizations, perhaps more so than any other industry.

Invoice payment fraud rose 137.5% in 2023, with 0.57 weekly attacks per 1,000 mailboxes. The frequency of these attacks spiked in February, reaching an all-time high of 1.9 attacks per 1,000 mailboxes. Interestingly, the rate of these attacks eased over the late spring and summer before picking up again in late September and October.

Business email compromise or BEC attacks are also on the rise among financial services organizations. In these attacks, cybercriminals impersonate executives or employees and send seemingly authentic payroll requests or banking account updates. Because these attacks employ social engineering rather than malicious links or attachments, BEC attacks—like VEC threats—easily circumvent detection by traditional security tools.

Unfortunately, employees aren’t a reliable line of defense against BEC either. The median open rate for text-based BEC is nearly 28%, and of the malicious emails read, an average of 15% are replied to by an employee.

Organizations in the financial services industry saw an average of 0.94 weekly BEC attacks per 1,000 mailboxes in 2023, representing a 70.9% increase over the previous year. Following a dip in attacks over the holidays, the rate of BEC attacks accelerated in January through March with an average of 1.5 weekly attacks per 1,000 mailboxes.

Further, the average weekly probability of BEC attacks against organizations in the financial services industry was 74% in 2023—representing an 11% increase over the previous year.

If these trends continue, organizations in the financial services industry should prepare for the increasing frequency of email-based attacks targeting human fallibility. While VEC, BEC, and scams can often circumvent traditional security solutions, organizations are meeting the challenges presented by sophisticated email attacks head-on by adopting sophisticated cloud email security.

Abnormal Security leverages artificial intelligence and machine learning to understand good behaviors and create a baseline of trustworthy activities. From here, Abnormal can detect anomalous activity and block invoice and payment fraud, business email compromise, scams, and other threats before they reach employees’ inboxes.

See other trends impacting financial services in our latest email threat report, Applications Abound: Average Organization Now Integrates 379 Third-Party Applications with Email.