The Rising Threat of Vendor Email Compromise: Webinar Recap

March 26, 2021

Last week, Abnormal Security participated in the Information Security Media Group (ISMG) webinar titled The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era. You can access the full script below.

The Vendor Email Compromise Rundown

Roman Tobe of Abnormal Security reports on the advancement of business email compromise (VEC) and vendor email compromise (VEC) attacks and covers why they continue to bypass traditional email security gateways. These attacks are similar to the techniques used in the SolarWinds breach, which shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks.

Throughout the webinar, Abnormal highlights key findings from the latest vendor email compromise research, including:

  • Companies have a 50% chance of getting hit with a VEC attack at least once in Q4 2020, up from 40.2% in Q3 2020
  • The average cost of vendor email compromise attack is $183,000, depending on the goal of the attack
  • The maximum observed cost stopped by Abnormal Security is $1.6 million.

Viewers of the webinar heard the steps involved in a VEC attack, as well as a breakdown of a high-profile VEC attack caught in the wild.

To close, Abnormal discussed the launch of VendorBase—a global, federated database of vendor and customer behaviors designed to stop supply chain compromise. VendorBase automates the process of identifying known risks in your supply chain and removes the manual burden of remediating and investigating VEC attacks from compromised vendors—improving the detection accuracy of advanced social engineering attacks.

You can read the full webinar transcript of the webinar below.

Thank you for joining us. We are going to talk about the rising rhreat of vendor email compromise today. If that term is new to you or you haven’t heard of it before, by the end of this session you’ll be an expert on what it is because Abnormal Security is the industry leader in prevention and research on this topic.


Before we dive into vendor email compromise, I want to spend a minute or two talking about BEC, which you may have heard of but I want to make sure it’s well understood before we move on. BEC stands for business email compromise, and it is a type of email scam but I would also call it a superset of vendor email compromise crime.

You’ll find similar characteristics in BEC that you will in VEC. A common trait of BEC is it does not contain malware or malicious URLs, and due to that technique, it is able to bypass conventional email security measures like SEGs. BEC relies on implicit authenticity of business emails—meaning there’s some measure of impersonation or compromise going on. And because of that, it takes advantage of the victims' trust of the impersonated identity.

The losses from BEC are massive. $1.7B in 2019 alone.

SLIDE 1: Vendor Email Compromise Definition

In short, VEC is a type of cyber attack where a criminal gains access to an email account with the intent to disrupt the supply chain by stealing money.

The reason why VEC is such a big problem is because this type of attack has a much greater probability of success than other attacks. Because the criminal gains access to a vendor’s email account, the communications are trusted. Conversely, these attacks are some of the more difficult to spot, as less than one in ten million emails represents an advanced email attack.

SLIDE 1a: Why Is VEC So Dangerous?

When a vendor email account is compromised, the attacker creates socially engineered attacks from trusted domains that have already been emailing into your organization without any issues. Typically, the attackers, when they do have access to an account, do not raise any flags when they start communicating with the target. Their initial emails do not contain a payload, there’s no malware or malicious URLs, nor do the attacks themselves originate from bad domains that are on threat intelligence lists or domains to reject at the gateway. This is all intended to bypass any red flags that could be spotted by a secure email gateway.

SLIDE 1b: Solarwinds: Started as a VEC Attack

Many of us on the call are familiar with SolarWinds or have some understanding of the attack. The historic attack on SolarWinds shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks. Nearly two months after public disclosure, we now know that it was a high-profile example of a vendor email compromise attack.

SolarWinds stated that an “email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.” The attack went undetected by its email security defenses for at least nine months, according to the Wall Street Journal.

SLIDE 2: Vendor Email Compromise Names

If the name does not look familiar, it may be because you’re calling it by a different name. VEC can go by vendor email compromise, supply chain fraud, invoice fraud, payment fraud, invoice origination fraud, fake vendors, and others.

SLIDE 2a: Rising Threat of Vendor Email Compromise

Recently, Abnormal Security put a spotlight on trends in VEC in our Q1 2021 Threat Research Report The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era. In the report, Abnormal went in-depth into the world of vendor email compromise (VEC) and outlined the rate of acceleration, as well as the financial threat these attacks pose to businesses without proper controls in place. Some of the key takeaways are mentioned above.

SLIDE 3: Five Steps of VEC

There are 5 steps in a VEC attack:

  1. The first step is reconnaissance. Here, the attacker picks their target intentionally. They perform online research and even send out recon emails to test which email address is valid.
  2. Step two is the compromise. Potentially done through buying credentials on the darknet, through sending credential phishing emails or finding which vendor accounts have MFA vulnerabilities, However it happens, a VEC attack is not possible without compromising the account and gaining access.
  3. Step three is to wait. This step is optional. Once the attacker is in the account, they may wait for a conversation related to payments to naturally occur. In less patient situations, the attacker might skip this step and force the issue by initiating a banking change.
  4. Step four is the strike. The attack is underway in earnest when the criminal engages with the accounts payable team and asks for banking changes to existing or new invoices. In order for the heist to succeed, the attacker must redirect existing banking information from the real vendor to their accounts. This is a hallmark of the VEC attack. Depending on the situation, criminals may not increase commonly found invoice amounts.
  5. Step five is a redirect. This is also an optional step. When a conversation is underway, it’s common for the attacker to fork the conversation to a lookalike vendor domain to keep the conversation further away from the real vendor and their SOC team. This happens via a mail rule change, where the reply-to address changes to the lookalike domain. A redirect is not a hard and fast rule but does happen.

SLIDE 4: A Real-World Example

The following example begins at step four and takes place over the span of a few hours on a Monday morning.

SLIDE 5: Email #1

In the initial email, the attacker explains the vendor’s bank is being audited and as a result, all payments need to go to an alternate account via ACH.

SLIDE 6: Email #1 Response

There is initial success as the company responds back. However, instead of processing the request, the employee points out there are thousands of invoices and asks for specifics.

SLIDE 7: Email #2

Going for the maximum score, the attacker asks for all outstanding invoices. By asking for all invoices, the attacker has potentially triggered suspicion from the company’s AP department.

SLIDE 8: Email #2 Response

Little did the attacker know, but the compromised vendor has thousands of invoices with the company, and now the employee asks the attacker for copies of which invoices are open.

SLIDE 9: Email #3

The attacker responds back with 8 real invoice numbers totaling $921,000. Since the attacker has access to the vendor's files, and possibly cloud collaboration accounts as well, they are able to reply back with real information.

SLIDE 10: Email #3 Response

The company does not immediately reply to this email.

SLIDE 11: Email #4

Sensing something may be wrong, the attacker follows up just an hour later to their own email. They started a new email thread with the same subject line and invoice information. It’s common for a VEC attacker to show high urgency and aggressiveness when committing fraud. Their intention is to get away with the heist as soon as possible to avoid getting caught.

SLIDE 12: Email #4 Response

Not quite convinced, the company employee asks for the actual invoice attachments.

SLIDE 13: Email #5

As mentioned earlier, by having access to the victims account, the attacker is able to send over real invoice attachments.

SLIDE 14: How Abnormal Stops VEC

Despite the short timeframe in which these emails transpired and the fact that no malware or phishing links were in the emails, Abnormal detected the attack and prevented the invoice fraud from taking place. There were several signals that indicated this was a vendor email compromise attack.

SLIDE 15: Portal Walkthrough

Abnormal Security uses a combination of Identity, Behavior, and Content analysis models in order to flag attacks:

  • First, Identity Signals: The attack was flagged by our system for having an Unusual Sender.
    • Abnormal automatically learns the commonly used email addresses for all vendor and invoice-related communications.
    • This was flagged because we have never seen this particular email address having a relationship or talking with anyone in the targeted organization
  • Next, Behavioral Signals: Our models learn the vendor relationships.
    • It flagged the email due to never-before-seen communication from this IP or location.
    • The email IP address indicates the vendor email was sent from Nigeria, but the organization has never received an email from the vendor or this email address originating from Nigeria.
  • Next, Text Classification Signals: Our models are trained and run on all messages processed by Abnormal. This is a core pillar used to detect the intent of the message.
    • Our content detector is used to flag financial content and invoice-related conversations.
    • Our model flagged the attack for having suspicious financial content verbiage.

Also, our attachment processing capability extracts attributes, key phrases, and dollar amounts for models to process. In this case, Abnormal processes the attachments of the given emails and concludes the attachments have high monetary value of, in this case, $921,000.

SLIDE 15a: Deep Understanding of Your Organization

We baseline your organization across, and as mentioned, we use a combination of Identity, Behavior, and Content analysis and AI to understand your organization and learn the normal, good, and legitimate communications that happen between you and your partners and vendors.

SLIDE 16: 17 Days Later

Now, just because the attacker's takeover of the vendor's email account was stopped by Abnormal, that doesn’t deter the criminal from pursuing the organization.

SLIDE 17: The Follow-up Incident

Seventeen days later, our system detected the same attacker sending an email from a domain that was registered less than one month ago, targeting the same group of employees asking for a payment to be made via a wire transfer.

SLIDE 18: The Follow-Up Incident - Attachment

The attacker sent real invoices from the vendor. This follow-up attack was also flagged and stopped by Abnormal.

SLIDE 19: VendorBase Intro

In an effort to stop Vendor Email Compromise fraud, Abnormal recently launched VendorBase, a global, federated database of vendor and customer behaviors to stop supply chain compromise.

SLIDE 19: VendorBase

For enterprises with thousands of vendors in their supply chain, it’s a monumental challenge to have real-time insights into which ones are known risks to your organization. VendorBase automates this process and removes the manual burden of remediating and investigating VEC attacks from compromised vendors. VendorBase tracks the reputations of an organization’s vendors and customers, and improves detection and accuracy of advanced social engineering attacks. Benefits include:

  • No Configuration or Setup Required: Automatically classifies vendors and customers based on your email communication.
  • Continuous Reputation and Risk Scoring: Automatically computed vendor/customer risk score based on domains being impersonated or spoofed, accounts being compromised, or suspicious and/or illegitimate businesses.
  • Stop Attacks, Enable Remediation: Provides detailed views of all vendors, stops supply chain attacks from impersonated, spoofed, or compromised vendors

To learn more about how Abnormal uses VendorBase, request a demo today.

Blog ai algorithm
Developing a machine learning product for cybersecurity comes with unique challenges. For a bit of background, Abnormal Security’s products prevent email attacks—think credential phishing, business email compromise, and malware—and also...
Read More
Blog tall silver building
IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement...
Read More

Related Posts

Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More
Blog purple person outline
Identity theft is not a joke, impacting more than 14 million people each year in the United States alone. Over the course of their lifetime, nearly one-third of all people will become victims of identity theft—often as a result of a corporate data breach. Once attackers have access to identifying information like your full name, address, date of birth, and/or social security number...
Read More