New Abnormal Research Shows Rise in Financial Supply Chain Compromise as Attackers Turn to Vendor Impersonation

Since its initial identification in 2013, business email compromise (BEC) has been dominated by executive impersonation. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022.

Here’s a look into the transition from CEO fraud to vendor fraud.

We’ve seen this shift to what we’ve termed financial supply chain compromise for a number of reasons. Most notably is that the approach gives threat actors a plethora of additional trusted identities to exploit.

Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands. And while the average employee has some level of familiarity with the company’s executive team, they may not have that same awareness of the organization’s entire vendor ecosystem—particularly in larger enterprises.

Further, the vendor-customer dynamic has an intrinsic financial aspect to it, which means emails requesting payments or referencing bank account changes are less likely to raise red flags.

All of these factors combine to make a perfect environment for exploiting end-user trust.

In a supply chain compromise attack, a threat actor impersonates an external third party to redirect the flow of company funds. This is generally accomplished in one of two ways.

The first is gaining direct access to a vendor’s email account, usually via credential phishing or malware. This approach is especially effective because it allows the attacker to engage in long-term surveillance and hijack ongoing conversations, sending emails from the vendor’s actual account

The second is through account mimicking, which involves email spoofing and lookalike domains. Although this tactic doesn’t provide an attacker with the same level of internal visibility as a compromised account, it still allows them to convincingly imitate a third party.

This shift to financial supply chain compromise is yet another important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars. Abnormal research found that the average vendor email compromise attack costs $183,000, and the highest amount requested thus far was $2.1 million.

Financial supply chain attacks are typically executed using one of four techniques. Each leverages a different level of insight into vendor-customer relationships and legitimate financial transactions.

Vendor Email Compromise

The most impactful form of financial supply chain attacks, vendor email compromise utilizes the compromise of a supplier's mailbox to target their customers and divert funds from a legitimate business transaction.

Aging Report Theft

Aging report theft starts with the impersonation of a vendor's executive, then uses outstanding payment information to target the supplier's customers and request that outstanding balances be paid to a new account.

Third-Party Reconnaissance Attacks

In a third-party reconnaissance attack, threat actors leverage open-source intelligence to understand the relationship between vendors and their customers. Then, they use that information to attempt to redirect payments without actually having visibility into those transactions.

Blind Third-Party Impersonation Attacks

The final category of financial supply chain attacks is blind third-party impersonation attacks. In this type of attack, threat actors have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful.

Whether threat actors compromise a vendor email account or simply impersonate an external third party, the fact remains that financial supply chain compromise works. Using a vendor identity provides an effective cover for attackers, and because targets are often less familiar with their vendors, these attacks are much harder to identify than traditional CEO fraud.

Taking all of this into consideration, we see three key takeaways:

1. Cybercriminals will continue to evolve and optimize their strategies to improve their chances of success.

2. Advanced security measures are needed to protect against evolving threats.

3. Without modern cybersecurity solutions, it’s not a matter of if there will be a successful attack but instead when one will occur.