Financial Services Organizations Experience 137% Increase in Vendor Email Compromise in 2023

Financial services organizations saw rising invoice fraud and business email compromise in 2023. Discover the stats and how to protect financial enterprises.
January 17, 2024

The financial services industry is a prime target for cybercriminals, and it’s easy to understand why. The industry handles a wide array of sensitive personal and financial information that hackers love to get their hands on. This makes organizations within the financial services sector particularly susceptible to cyberattacks, including socially-engineered email attacks.

If last year is any indication, security leaders will need to continue to be hyper-vigilant about these kinds of attacks in 2024. According to Abnormal data, the financial services industry receives approximately 200 advanced attacks per 1,000 mailboxes each week—making it one of the most attacked industries tracked.

Fin Serv BEC Blog Advanced Attacks

While the weekly average is a solid 200 attacks, peaks occurred in late January with 258 weekly attacks, in late September with 282 attacks, and in mid-December with 272 attacks. While cyberattacks generally tend to move in cycles, security leaders in this space will need to be prepared to manage continuous waves of email attacks all throughout the year.

Vendor Email Compromise Attacks Increased by 137% in 2023

Vendor email compromise or VEC occurs when threat actors impersonate a business provider (such as a supplier or vendor) in hopes of stealing money from that vendor’s customers—often through billing account updates or invoice fraud. Some threat actors create spoofed email accounts while others leverage compromised vendor email accounts to request these financial transfers—a tactic that is much harder to detect given the account's legitimacy.

If an employee is successfully deceived by these attacks, organizations stand to lose thousands of dollars. In fact, Abnormal has seen VEC attacks targeting millions of dollars, and even up to $36 million in one case.

Below is an example of one such attack: a $1.4M AUD VEC attack against an Australian financial holding company providing engineering and construction services. In this attack, the threat actor uses previous communication patterns and legitimate invoices to appear legitimate. We can see this through this first legitimate email, in which the Finance Business Partner at the vendor sends an invoice to the financial holding company.

Fin Serv BEC Blog Email Example 1 E

The second page of the attached invoice shown below shows the banking account information included as part of this request.

Fin Serv BEC Blog Invoice Example 1

While this email is legitimate, a similar email is sent a week later to the same recipients—and this time, the account has been compromised. In this email, the Finance Business Partner provides an identical invoice for $1.4M AUD, equivalent to $940,000 USD. However, in this second email, they note that the banking details have been updated and ask when the invoice will be processed for payment.

Fin Serv BEC Blog Email Example 2 E

While the threat actor copied the same individuals from the vendor organization as in the first email, they made a slight change. If you look closely, the domain they used for these cc’ed email addresses was a lookalike (subtly adding one additional letter) that was created and registered just 8 days before the attack was launched. By doing so, they can reply from the lookalike domain—drastically reducing the likelihood of being caught lurking in the vendor account.

In this attachment, the information is exactly the same, except for the second page which shows different banking details, as shown here.

Fin Serv BEC Blog Invoice Example 2

As you can see, this is nearly impossible to detect by both legacy email security systems and the human eye. With the email attack sent from a legitimate account with prior conversation history, no suspicious links or malware-laden attachments, and only the change in banking information to indicate an attack, there are very few indicators to show that this is an attack rather than a legitimate banking account update request.

With such high price tags, it’s concerning that VEC attacks against financial services are on the rise—especially when you consider just how important customer trust is for this industry. Trust and reputation are bedrock principles for financial services organizations, perhaps more so than any other industry.

Invoice payment fraud rose 137.5% in 2023, with 0.57 weekly attacks per 1,000 mailboxes. The frequency of these attacks spiked in February, reaching an all-time high of 1.9 attacks per 1,000 mailboxes. Interestingly, the rate of these attacks eased over the late spring and summer before picking up again in late September and October.

Fin Serv BEC Blog VEC Attacks

71% Increase in BEC Attacks Against the Financial Services Industry

Business email compromise or BEC attacks are also on the rise among financial services organizations. In these attacks, cybercriminals impersonate executives or employees and send seemingly authentic payroll requests or banking account updates. Because these attacks employ social engineering rather than malicious links or attachments, BEC attacks—like VEC threats—easily circumvent detection by traditional security tools.

Unfortunately, employees aren’t a reliable line of defense against BEC either. The median open rate for text-based BEC is nearly 28%, and of the malicious emails read, an average of 15% are replied to by an employee.

Organizations in the financial services industry saw an average of 0.94 weekly BEC attacks per 1,000 mailboxes in 2023, representing a 70.9% increase over the previous year. Following a dip in attacks over the holidays, the rate of BEC attacks accelerated in January through March with an average of 1.5 weekly attacks per 1,000 mailboxes.

Fin Serv BEC Blog BEC Attacks

Further, the average weekly probability of BEC attacks against organizations in the financial services industry was 74% in 2023—representing an 11% increase over the previous year.

Defending Financial Services Organizations Against Sophisticated Email-Based Attacks

If these trends continue, organizations in the financial services industry should prepare for the increasing frequency of email-based attacks targeting human fallibility. While VEC, BEC, and scams can often circumvent traditional security solutions, organizations are meeting the challenges presented by sophisticated email attacks head-on by adopting sophisticated cloud email security.

Abnormal Security leverages artificial intelligence and machine learning to understand good behaviors and create a baseline of trustworthy activities. From here, Abnormal can detect anomalous activity and block invoice and payment fraud, business email compromise, scams, and other threats before they reach employees’ inboxes.

See other trends impacting financial services in our latest email threat report, Applications Abound: Average Organization Now Integrates 379 Third-Party Applications with Email.

Download the Report
Financial Services Organizations Experience 137% Increase in Vendor Email Compromise in 2023

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More
B State and Local Government Attack Trends
Advanced attacks targeting state and local governments are increasing. Discover what our research revealed about this alarming trend.
Read More
B Examining Employee Engagement with Email Attacks
Cybercriminals know that humans are your enterprise's biggest vulnerability and are successfully engaging with your employees at an alarming rate.
Read More
Explore how Abnormal’s AI Security Mailbox enhances cybersecurity by engaging and educating employees with personalized GenAI responses. Improve security awareness and streamline operations.
Read More
B Q2 2024 Attacks
In the second installment of our quarterly look-back at malicious emails, we examine 5 more recent noteworthy attacks detected and stopped by Abnormal.
Read More