Understanding the Basics of Financial Supply Chain Compromise

Unlike spam and simple phishing campaigns that relied on sending millions of emails with little targeting and no personalization, modern threats like business email compromise (BEC) are successful because they do the opposite.

In the nascency of BEC, threat actors would access or spoof the email accounts of chief executive officers to convince unsuspecting employees to send wire transfers to unauthorized locations. Combining a sense of urgency with the authority that a CEO commands, a well-crafted email was enough to convince even the most security-conscious employee to complete the request.

While the attacks started almost entirely as wire transfer requests, over time threat actors began requesting gift cards or access to sensitive information like PII through W-2 forms. In recent years, as employees became aware of the fact that their CEO is unlikely to email them with these requests, BEC attacks have evolved once more.

Now, threat actors are moving away from internal impersonation and instead focusing on impersonating third parties, giving rise to what we call financial supply chain compromise.

Cybercriminals are no longer reliant on impersonating top executives to run their scams. Instead, they are impersonating known (and even unknown) vendors to request that invoices be paid, billing account details be updated, or wire transfers be completed. And because the number of vendors working with a company is much, much higher than the number of CEOs within that same organization, the results are astounding.

Starting in January 2022, third-party impersonations overtook internal impersonations for the first time—and this trend continued each month since. Year over year, we've seen a 17% decrease in internal impersonations, and as of May 2022, threat actors are using the names and accounts of external vendors in 52% of all attacks.

This shift has had a profound impact on the entire cybercrime ecosystem, helping to keep BEC as the top cybercrime for the seventh year in a row. With benign attachments like invoices or purchase orders and without known malicious signatures to flag, financial supply chain compromise attacks are more likely to bypass legacy infrastructure and trick end users—causing organizations to lose millions.

Financial supply chain compromise uses external third-party impersonation to redirect the flow of funds exposed during the normal course of business. By exploiting the trust in the impersonated identity and the implicit authenticity of business email, these kinds of attacks can result in heavy losses for victims.

The vendor-customer dynamic has an inherent financial element built into it, and information about invoices, billing accounts, and upcoming payments is often shared via email. This means emails from vendors requesting payment for an overdue invoice or a change to bank account information are less likely to be flagged as suspicious.

Further, even the smallest businesses likely work with at least one vendor, and global companies can have contracts with hundreds, if not thousands, of distributors and suppliers. And while the average employee is at least somewhat familiar with the company’s executive team, they may have limited visibility into the organization’s entire vendor ecosystem—particularly in larger enterprises.

Taking all of these factors into consideration, it’s clear why threat actors have started impersonating external third parties with increasing frequency.

Much like traditional BEC attacks, a financial supply chain compromise attack requires the use of a trusted identity to run the scam. In these attacks, however, the person being impersonated is an external third party rather than an internal executive or another employee. This impersonation can be accomplished in two main ways.

Account Compromise

The most dangerous type of financial supply chain compromise occurs when an external email account is truly compromised, as it provides an opportunity for long-term surveillance and the hijacking of ongoing conversations.

Upon gaining credentials to an external mailbox, most attackers will determine which customers are active and identify ongoing payment cycles or outstanding invoices. Fraudsters then exploit that knowledge to impersonate a vendor and insert themselves into an email conversation about a financial transaction—sometimes using an email sent from the compromised account itself.

After the threat actor has access, they manipulate mailbox rules to prevent its owner from becoming aware of both the intrusion and the correspondence with his or her regular contacts. By doing so, they can keep access to the account, sometimes for months.

Account Mimicking

Aside from gaining direct access to an account, attackers can mimic a third party using email spoofing and lookalike domains.

In an email that uses a spoofed address, the attacker sets the sender's email address to appear as if it’s coming directly from a trusted source. The trick is that the attacker creates a separate reply-to address, so when a recipient replies to the email, it gets sent to the attacker’s account rather than the spoofed account.

Email spoofing takes advantage of the lack of built-in authentication within the email protocol and it requires shockingly little technical knowledge to perform. To combat email spoofing attacks, many organizations have implemented DMARC policies that help verify an email’s authenticity.

The next best thing to a spoofed email address is a carefully selected lookalike domain. With a lookalike domain, the goal is to register a new domain containing a subtle or common misspelling so that the target overlooks the error. Here are some examples:

• Changing characters to other similar-looking characters, like twltter[.]com or go0gle[.]com

• Adding additional characters after two repeated characters, such as faceboook[.]com or applle[.]com

• Adding additional location-related or company-related characters, like amazonsellerservices[.]com or microsoft-usa[.]com

• Using a different top-level domain or embedded hostname, such as instagram[.]online or walmart.com.shopping[.]com

The threat actor then creates email addresses on the lookalike domain, and because the URL looks so similar to the real website domain, targets often do not realize that they are speaking with a scammer. While account mimicking doesn’t provide an attacker with the same breadth of internal visibility as a compromised account, it still allows the actor to convincingly imitate a third party and increases the likelihood for success.

The decision of cybercriminals to move away from internal impersonation and instead focus on impersonating third parties represents a substantial evolution in the business email compromise threat landscape. Failing to recognize and mitigate this new threat can be costly: the average invoice fraud attack costs $183,000, and the largest financial supply chain compromise attack stopped by Abnormal included a fake invoice for over $2.1 million.

To prevent employees from falling victim to these sophisticated email attacks, be proactive about protection and take advantage of innovative technologies to reduce your organization’s risk.

For even more insight into how threat actors launch financial supply chain compromise attacks and how to protect your organization, download our latest threat report.