Manufacturing Sector Under Siege: Industry Faces Wave of Advanced Email Attacks

The manufacturing industry is a cornerstone of the U.S. economy and essential to our nation’s job growth, innovation, and competitiveness in the global market. However, as manufacturing organizations have modernized operations and increased their reliance on digital technologies, they’ve also become a prime target for cybercrime.

In August 2023, Clorox disclosed via an SEC filing that it had detected “unauthorized activity on some of its IT systems”, requiring the company to take multiple systems offline. Speculated to have been a ransomware attack, the incident forced production slowdowns and created widespread product shortages. By November, the cleaning product manufacturer had incurred $49 million in recovery costs related to the attack and reported a staggering 20% decline in net sales—translating to $356 million in losses.

Between September 2023 and September 2024, phishing, business email compromise, and vendor email compromise attacks on manufacturers increased significantly. As we prepare for the year ahead, it’s critical for manufacturing organizations to understand the threats targeting their industry and strengthen their defenses.

While organizations in every industry are potential targets for email attacks, some sectors, like manufacturing, are especially attractive to threat actors.

Manufacturing companies rely on a complex network of vendors, suppliers, and service providers. A complicated supply chain, combined with organizations’ intricate and intertwined digital systems, creates broad attack surfaces with seemingly endless entry points to exploit.

Plus, manufacturers store an enticing amount of financial data and other sensitive information that criminals can sell across the dark web, hold for ransom, or use to gain an even stronger foothold within an organization’s digital infrastructure.

Also, as a heavily regulated industry, manufacturing companies are beholden to compliance requirements that may necessitate them using outdated security systems or following policies that inadvertently expose the business to emerging threat models.

Finally, as demonstrated by the Clorox attack, operational disruptions can be outrageously costly and have long-term consequences. Threat actors recognize that larger enterprises are highly motivated to resolve incidents as quickly as possible—a fact they can leverage for large ransom payments.

Phishing attacks targeting the manufacturing industry have trended upward over the past year, with the median number of monthly attacks growing nearly 83% between September 2023 and September 2024.

According to the FBI Internet Crime Complaint Center (FBI IC3), although the number of reported phishing attacks has declined slightly since 2021, it remains the leading type of internet crime. Moreover, it’s frequently used as the first move in a much larger strategy—often to access login credentials that can be used to compromise accounts and launch additional attacks.

An email account serves as the central access point for nearly every tool a typical employee requires to do their job. The workforce relies on email to sign into applications, connect business accounts, and reset passwords. Consequently, if a threat actor obtains login credentials through a phishing attack, they can exploit this access to infiltrate the employee’s email account and, by extension, compromise virtually all other accounts within the organization’s application ecosystem.

What’s especially troubling about modern phishing attacks is that they lack the characteristics most people have come to associate with phishing messages, like poor spelling and grammar or odd syntax. Using easily accessible resources, cybercriminals can craft polished, error-free messages that slip past traditional security tools and fail to arouse employee suspicion.

In business email compromise attacks, threat actors masquerade as trusted parties—usually someone with whom their target has a trusted relationship (like a coworker) or someone in a position of authority (such as a manager or senior executive).

They start by carefully researching targets and monitoring their communication patterns. Then, using either a spoofed email address or a legitimate account they’ve hacked, cybercriminals employ social engineering tactics to convince their target to share confidential information or complete a fraudulent financial transaction.

Often, attackers use time pressure to drive victims to act quickly (before they second-guess the request). For example, they may ask a target to promptly send over sensitive data like tax information or wire funds as part of a high-stakes transaction, such as a merger or acquisition.

It’s no wonder, then, that the manufacturing industry saw a 56% year-over-year increase in BEC attacks. In a sector that has a high reliance on outdated systems and a low tolerance for downtime, not only are employees more likely to see malicious emails in their inboxes but they’re also more likely to fulfill requests quickly so as not to be the reason operations are disrupted—two factors that attackers are more than happy to exploit.

In August 2024, Orion, a leading global producer of carbon black, reported in an SEC filing that a non-executive employee had been deceived into completing a series of fraudulent wire transfers. While the company declined to comment on the specifics of the incident, based on the wording in the filing, there’s a high probability the attack was either business email compromise or vendor email compromise. Whether the threat actors impersonated an internal contact or a trusted partner, their efforts were alarmingly successful, as they walked away with $60 million in stolen funds.

Between September 2023 and September 2024, the number of vendor email compromise (VEC) attacks on manufacturers increased by 24%.

Similar to BEC attacks, VEC involves the impersonation of known and trusted individuals. The key difference is that the threat actor poses as an external third party rather than an internal employee. After accessing a vendor’s email account, the attacker deceives their target into paying phony invoices, updating bank details for future transactions, or initiating fraudulent wire transfers.

VEC may account for a smaller percentage of overall advanced email attacks, but the impact can be devastating. And the challenge is that, when executed correctly, a VEC attack can be nearly indistinguishable from a legitimate vendor request.

First, the nature of the vendor-client relationship is inherently financial and is often managed primarily via email. Thus, discussions and inquiries about invoices, billing details, and payment schedules commonly occur in the inbox. As a result, emails that appear to be from vendors asking for payment on past-due invoices or requesting updates to bank account information may not raise any initial red flags for employees.

Additionally, even smaller businesses typically partner with at least one vendor, while larger, global organizations often manage contracts with hundreds or even thousands of suppliers and distributors—each offering a potential trusted identity for attackers to exploit.

Although manufacturing security leaders have helped workforces grow their knowledge of email threats, cybercriminals have evolved their strategies to undermine employee awareness training. Thanks to a proliferation of generative AI tools that help attackers create genuine-looking emails and near-perfect impersonations, it’s become almost impossible for humans or secure email gateways (SEGs) to detect advanced email attacks.

To protect against AI-powered attacks, you need an AI-powered solution. Abnormal’s AI-native, API-based email security solution utilizes behavioral data to understand the behavior, communications, and processes of every employee and vendor across the entire organization. Then, it uses computer vision and natural language processing (NLP) to examine email content and identify anomalous activity, enabling it to detect and block threats before end users have the opportunity to engage—preventing manufacturers from potentially catastrophic consequences.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.