chat
expand_more

New Research Shows 67% Chance of Supply Chain Compromise Attack

The risk of supply chain compromise (also known as vendor email compromise or VEC) continues to increase. Our latest research uncovered some startling statistics about these attacks.
April 13, 2022

Despite being a relatively new attack type, supply chain compromise (sometimes referred to as vendor email compromise) already represents a significant security threat to organizations of all sizes.

During a supply chain compromise attack, a threat actor gains control of a vendor email account and then uses the compromised account to launch attacks on the vendor’s partners. While the attacks can take a variety of forms, the most common is invoice fraud, where the threat actor poses as the vendor and requests payment for a fraudulent invoice. These attacks can also be run through impersonation of vendor accounts—no initial compromise necessary.

As outlined in our H1 2022 Email Threat Report, the risk of supply chain compromise has steadily grown since Abnormal began tracking this attack type in 2020. And since these attacks are nearly impossible for the average employee to recognize, all organizations must take steps to secure their email from vendor fraud.

Supply Chain Compromise Risk Remains Steady

Supply chain compromise attacks are highly successful because they exploit trusted communications between vendors and customers through personalization and social engineering. Because they utilize compromised accounts, these attacks are extremely dangerous, particularly because the threat actor has access to past and ongoing conversations and can use that knowledge to trick recipients.

Since Abnormal began tracking supply chain compromise, the risk has continuously increased, at least until the last half of 2021 when it remained steady for the first time. That isn’t to say the threat should be discounted, as more than a quarter of all Abnormal customers were the target of at least one supply chain compromise attack each week.

Percentage of Customers Targeted with supply chain compromise Each Week

The data shows that nearly two-thirds of all organizations are likely to receive at least one attack over the course of the half. And with the average attack size remaining at $183,000, it isn’t a threat to be taken lightly.

Large Organizations Still Facing Highest Risk

Similar to what we’ve seen with other advanced email attacks, organizations with more employees are at the greatest risk of receiving an attack.

While likely a result of there being more employees to target, particularly within the finance department, some of this can also be attributed to the fact larger organizations often have more vendors who can become compromised. When it comes to the numbers game, cybercriminals often win.

Probability of receiving supply chain compromise by Org Size

Organizations with 50,000 or more employees receive an attack from their supply chain nearly every single week. In fact, businesses of this size have a 96.7% probability of receiving a supply chain compromise attack every seven days.

Even companies with more than 1,500 employees are likely to experience a supply chain compromise attack nearly two weeks out of every three. It’s only when looking at small businesses that there is a small amount of relief, with threat actors targeting organizations with employee counts below 500 only one week in every three.

Innovative Security Measures Are Essential

There is little doubt supply chain compromise is a financially damaging threat. By taking advantage of the trust organizations place in their vendors, the attacks can both deceive humans and bypass traditional email security tools that rely on threat intelligence.

Stopping these attacks requires implementing a solution that can detect and interpret the thousands of signals available through an API, and then block the emails that come from compromised accounts. It’s only by stopping supply chain compromise attacks from reaching inboxes we can truly prevent our employees from being tricked and ensure our organizations stay protected.

To learn more about supply chain compromise attacks, as well as see additional data on business email compromise and phone fraud, download our latest email threat report.

New Research Shows 67% Chance of Supply Chain Compromise Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More
B 2024 ISC2 Cybersecurity Workforce Study Recap
Explore key findings from the 2024 ISC2 Cybersecurity Workforce Study and find out how SOC teams can adapt and thrive amidst modern challenges.
Read More