chat
expand_more

New Abnormal Research Shows Rise in Financial Supply Chain Compromise as Attackers Turn to Vendor Impersonation

Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
June 22, 2022

Since its initial identification in 2013, business email compromise (BEC) has been dominated by executive impersonation. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022.

Trend of Internal vs External BEC Impersonation Attacks

Here’s a look into the transition from CEO fraud to vendor fraud.

Why Supply Chain Compromise Works

We’ve seen this shift to what we’ve termed financial supply chain compromise for a number of reasons. Most notably is that the approach gives threat actors a plethora of additional trusted identities to exploit.

Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands. And while the average employee has some level of familiarity with the company’s executive team, they may not have that same awareness of the organization’s entire vendor ecosystem—particularly in larger enterprises.

Further, the vendor-customer dynamic has an intrinsic financial aspect to it, which means emails requesting payments or referencing bank account changes are less likely to raise red flags.

All of these factors combine to make a perfect environment for exploiting end-user trust.

How Attackers Impersonate Third Parties

In a supply chain compromise attack, a threat actor impersonates an external third party to redirect the flow of company funds. This is generally accomplished in one of two ways.

The first is gaining direct access to a vendor’s email account, usually via credential phishing or malware. This approach is especially effective because it allows the attacker to engage in long-term surveillance and hijack ongoing conversations, sending emails from the vendor’s actual account

The second is through account mimicking, which involves email spoofing and lookalike domains. Although this tactic doesn’t provide an attacker with the same level of internal visibility as a compromised account, it still allows them to convincingly imitate a third party.

This shift to financial supply chain compromise is yet another important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars. Abnormal research found that the average vendor email compromise attack costs $183,000, and the highest amount requested thus far was $2.1 million.

The Four Types of Financial Supply Chain Attacks

Financial supply chain attacks are typically executed using one of four techniques. Each leverages a different level of insight into vendor-customer relationships and legitimate financial transactions.

Vendor Email Compromise

The most impactful form of financial supply chain attacks, vendor email compromise utilizes the compromise of a supplier's mailbox to target their customers and divert funds from a legitimate business transaction.

Aging Report Theft

Aging report theft starts with the impersonation of a vendor's executive, then uses outstanding payment information to target the supplier's customers and request that outstanding balances be paid to a new account.

Third-Party Reconnaissance Attacks

In a third-party reconnaissance attack, threat actors leverage open-source intelligence to understand the relationship between vendors and their customers. Then, they use that information to attempt to redirect payments without actually having visibility into those transactions.

Blind Third-Party Impersonation Attacks

The final category of financial supply chain attacks is blind third-party impersonation attacks. In this type of attack, threat actors have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful.

Stopping Financial Supply Chain Compromise

Whether threat actors compromise a vendor email account or simply impersonate an external third party, the fact remains that financial supply chain compromise works. Using a vendor identity provides an effective cover for attackers, and because targets are often less familiar with their vendors, these attacks are much harder to identify than traditional CEO fraud.

Taking all of this into consideration, we see three key takeaways:

  1. Cybercriminals will continue to evolve and optimize their strategies to improve their chances of success.

  2. Advanced security measures are needed to protect against evolving threats.

  3. Without modern cybersecurity solutions, it’s not a matter of if there will be a successful attack but instead when one will occur.

All this points to one thing: now is the time to secure your environment—before cybercriminals start using your vendors to target you.

For even more insight into this shift to vendor-focused impersonation, download our latest threat intelligence report.
New Abnormal Research Shows Rise in Financial Supply Chain Compromise as Attackers Turn to Vendor Impersonation

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More