Abstract Violet Logo Closeup

Understanding the Basics of Financial Supply Chain Compromise

Financial supply chain compromise, a subset of business email compromise (BEC), is on the rise. Learn how threat actors launch these sophisticated attacks.

July 7, 2022

Unlike spam and simple phishing campaigns that relied on sending millions of emails with little targeting and no personalization, modern threats like business email compromise (BEC) are successful because they do the opposite.

In the nascency of BEC, threat actors would access or spoof the email accounts of chief executive officers to convince unsuspecting employees to send wire transfers to unauthorized locations. Combining a sense of urgency with the authority that a CEO commands, a well-crafted email was enough to convince even the most security-conscious employee to complete the request.

While the attacks started almost entirely as wire transfer requests, over time threat actors began requesting gift cards or access to sensitive information like PII through W-2 forms. In recent years, as employees became aware of the fact that their CEO is unlikely to email them with these requests, BEC attacks have evolved once more.

Now, threat actors are moving away from internal impersonation and instead focusing on impersonating third parties, giving rise to what we call financial supply chain compromise.

The Shift to Third-Party Impersonations

Cybercriminals are no longer reliant on impersonating top executives to run their scams. Instead, they are impersonating known (and even unknown) vendors to request that invoices be paid, billing account details be updated, or wire transfers be completed. And because the number of vendors working with a company is much, much higher than the number of CEOs within that same organization, the results are astounding.

Starting in January 2022, third-party impersonations overtook internal impersonations for the first time—and this trend continued each month since. Year over year, we've seen a 17% decrease in internal impersonations, and as of May 2022, threat actors are using the names and accounts of external vendors in 52% of all attacks.

This shift has had a profound impact on the entire cybercrime ecosystem, helping to keep BEC as the top cybercrime for the seventh year in a row. With benign attachments like invoices or purchase orders and without known malicious signatures to flag, financial supply chain compromise attacks are more likely to bypass legacy infrastructure and trick end users—causing organizations to lose millions.

An Introduction to Financial Supply Chain Compromise

Financial supply chain compromise uses external third-party impersonation to redirect the flow of funds exposed during the normal course of business. By exploiting the trust in the impersonated identity and the implicit authenticity of business email, these kinds of attacks can result in heavy losses for victims.

The vendor-customer dynamic has an inherent financial element built into it, and information about invoices, billing accounts, and upcoming payments is often shared via email. This means emails from vendors requesting payment for an overdue invoice or a change to bank account information are less likely to be flagged as suspicious.

Further, even the smallest businesses likely work with at least one vendor, and global companies can have contracts with hundreds, if not thousands, of distributors and suppliers. And while the average employee is at least somewhat familiar with the company’s executive team, they may have limited visibility into the organization’s entire vendor ecosystem—particularly in larger enterprises.

Taking all of these factors into consideration, it’s clear why threat actors have started impersonating external third parties with increasing frequency.

How Attackers Impersonate Vendors

Much like traditional BEC attacks, a financial supply chain compromise attack requires the use of a trusted identity to run the scam. In these attacks, however, the person being impersonated is an external third party rather than an internal executive or another employee. This impersonation can be accomplished in two main ways.

Account Compromise

The most dangerous type of financial supply chain compromise occurs when an external email account is truly compromised, as it provides an opportunity for long-term surveillance and the hijacking of ongoing conversations.

Upon gaining credentials to an external mailbox, most attackers will determine which customers are active and identify ongoing payment cycles or outstanding invoices. Fraudsters then exploit that knowledge to impersonate a vendor and insert themselves into an email conversation about a financial transaction—sometimes using an email sent from the compromised account itself.

After the threat actor has access, they manipulate mailbox rules to prevent its owner from becoming aware of both the intrusion and the correspondence with his or her regular contacts. By doing so, they can keep access to the account, sometimes for months.

Account Mimicking

Aside from gaining direct access to an account, attackers can mimic a third party using email spoofing and lookalike domains.

In an email that uses a spoofed address, the attacker sets the sender's email address to appear as if it’s coming directly from a trusted source. The trick is that the attacker creates a separate reply-to address, so when a recipient replies to the email, it gets sent to the attacker’s account rather than the spoofed account.

Email spoofing takes advantage of the lack of built-in authentication within the email protocol and it requires shockingly little technical knowledge to perform. To combat email spoofing attacks, many organizations have implemented DMARC policies that help verify an email’s authenticity.

The next best thing to a spoofed email address is a carefully selected lookalike domain. With a lookalike domain, the goal is to register a new domain containing a subtle or common misspelling so that the target overlooks the error. Here are some examples:

  • Changing characters to other similar-looking characters, like twltter[.]com or go0gle[.]com

  • Adding additional characters after two repeated characters, such as faceboook[.]com or applle[.]com

  • Adding additional location-related or company-related characters, like amazonsellerservices[.]com or microsoft-usa[.]com

  • Using a different top-level domain or embedded hostname, such as instagram[.]online or walmart.com.shopping[.]com

The threat actor then creates email addresses on the lookalike domain, and because the URL looks so similar to the real website domain, targets often do not realize that they are speaking with a scammer. While account mimicking doesn’t provide an attacker with the same breadth of internal visibility as a compromised account, it still allows the actor to convincingly imitate a third party and increases the likelihood for success.

Protecting Your Organization Against Financial Supply Chain Compromise Attacks

The decision of cybercriminals to move away from internal impersonation and instead focus on impersonating third parties represents a substantial evolution in the business email compromise threat landscape. Failing to recognize and mitigate this new threat can be costly: the average invoice fraud attack costs $183,000, and the largest financial supply chain compromise attack stopped by Abnormal included a fake invoice for over $2.1 million.

To prevent employees from falling victim to these sophisticated email attacks, be proactive about protection and take advantage of innovative technologies to reduce your organization’s risk.

For even more insight into how threat actors launch financial supply chain compromise attacks and how to protect your organization, download our latest threat report.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More