Abstract Yellow Grid

New Abnormal Research Shows Rise in Financial Supply Chain Compromise as Attackers Turn to Vendor Impersonation

Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.

June 22, 2022

Since its initial identification in 2013, business email compromise (BEC) has been dominated by executive impersonation. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022.

Trend of Internal vs External BEC Impersonation Attacks

Here’s a look into the transition from CEO fraud to vendor fraud.

Why Supply Chain Compromise Works

We’ve seen this shift to what we’ve termed financial supply chain compromise for a number of reasons. Most notably is that the approach gives threat actors a plethora of additional trusted identities to exploit.

Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands. And while the average employee has some level of familiarity with the company’s executive team, they may not have that same awareness of the organization’s entire vendor ecosystem—particularly in larger enterprises.

Further, the vendor-customer dynamic has an intrinsic financial aspect to it, which means emails requesting payments or referencing bank account changes are less likely to raise red flags.

All of these factors combine to make a perfect environment for exploiting end-user trust.

How Attackers Impersonate Third Parties

In a supply chain compromise attack, a threat actor impersonates an external third party to redirect the flow of company funds. This is generally accomplished in one of two ways.

The first is gaining direct access to a vendor’s email account, usually via credential phishing or malware. This approach is especially effective because it allows the attacker to engage in long-term surveillance and hijack ongoing conversations, sending emails from the vendor’s actual account

The second is through account mimicking, which involves email spoofing and lookalike domains. Although this tactic doesn’t provide an attacker with the same level of internal visibility as a compromised account, it still allows them to convincingly imitate a third party.

This shift to financial supply chain compromise is yet another important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars. Abnormal research found that the average vendor email compromise attack costs $183,000, and the highest amount requested thus far was $2.1 million.

The Four Types of Financial Supply Chain Attacks

Financial supply chain attacks are typically executed using one of four techniques. Each leverages a different level of insight into vendor-customer relationships and legitimate financial transactions.

Vendor Email Compromise

The most impactful form of financial supply chain attacks, vendor email compromise utilizes the compromise of a supplier's mailbox to target their customers and divert funds from a legitimate business transaction.

Aging Report Theft

Aging report theft starts with the impersonation of a vendor's executive, then uses outstanding payment information to target the supplier's customers and request that outstanding balances be paid to a new account.

Third-Party Reconnaissance Attacks

In a third-party reconnaissance attack, threat actors leverage open-source intelligence to understand the relationship between vendors and their customers. Then, they use that information to attempt to redirect payments without actually having visibility into those transactions.

Blind Third-Party Impersonation Attacks

The final category of financial supply chain attacks is blind third-party impersonation attacks. In this type of attack, threat actors have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful.

Stopping Financial Supply Chain Compromise

Whether threat actors compromise a vendor email account or simply impersonate an external third party, the fact remains that financial supply chain compromise works. Using a vendor identity provides an effective cover for attackers, and because targets are often less familiar with their vendors, these attacks are much harder to identify than traditional CEO fraud.

Taking all of this into consideration, we see three key takeaways:

  1. Cybercriminals will continue to evolve and optimize their strategies to improve their chances of success.

  2. Advanced security measures are needed to protect against evolving threats.

  3. Without modern cybersecurity solutions, it’s not a matter of if there will be a successful attack but instead when one will occur.

All this points to one thing: now is the time to secure your environment—before cybercriminals start using your vendors to target you.

For even more insight into this shift to vendor-focused impersonation, download our latest threat intelligence report.
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More