Abstract Yellow Grid

New Abnormal Research Shows Rise in Financial Supply Chain Compromise as Attackers Turn to Vendor Impersonation

Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.

June 22, 2022

Since its initial identification in 2013, business email compromise (BEC) has been dominated by executive impersonation. But over the past few years, attackers have started adjusting their strategies—opting to impersonate third-party vendors and suppliers instead.

In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time. This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022.

Trend of Internal vs External BEC Impersonation Attacks

Here’s a look into the transition from CEO fraud to vendor fraud.

Why Supply Chain Compromise Works

We’ve seen this shift to what we’ve termed financial supply chain compromise for a number of reasons. Most notably is that the approach gives threat actors a plethora of additional trusted identities to exploit.

Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands. And while the average employee has some level of familiarity with the company’s executive team, they may not have that same awareness of the organization’s entire vendor ecosystem—particularly in larger enterprises.

Further, the vendor-customer dynamic has an intrinsic financial aspect to it, which means emails requesting payments or referencing bank account changes are less likely to raise red flags.

All of these factors combine to make a perfect environment for exploiting end user trust.

How Attackers Impersonate Third Parties

In a supply chain compromise attack, a threat actor impersonates an external third party to redirect the flow of company funds. This is generally accomplished in one of two ways.

The first is gaining direct access to a vendor’s email account, usually via credential phishing or malware. This approach is especially effective because it allows the attacker to engage in long-term surveillance and hijack ongoing conversations, sending emails from the vendor’s actual account

The second is through account mimicking, which involves email spoofing and lookalike domains. Although this tactic doesn’t provide an attacker with the same level of internal visibility as a compromised account, it still allows them to convincingly imitate a third party.

This shift to financial supply chain compromise is yet another important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars. Abnormal research found that the average vendor email compromise attack costs $183,000, and the highest amount requested thus far was $2.1 million.

The Four Types of Financial Supply Chain Attacks

Financial supply chain attacks are typically executed using one of four techniques. Each leverages a different level of insight into vendor-customer relationships and legitimate financial transactions.

Vendor Email Compromise

The most impactful form of financial supply chain attacks, vendor email compromise utilizes the compromise of a supplier's mailbox to target their customers and divert funds from a legitimate business transaction.

Aging Report Theft

Aging report theft starts with the impersonation of a vendor's executive, then uses outstanding payment information to target the supplier's customers and request that outstanding balances be paid to a new account.

Third-Party Reconnaissance Attacks

In a third-party reconnaissance attack, threat actors leverage open-source intelligence to understand the relationship between vendors and their customers. Then, they use that information to attempt to redirect payments without actually having visibility into those transactions.

Blind Third-Party Impersonation Attacks

The final category of financial supply chain attacks is blind third-party impersonation attacks. In this type of attack, threat actors have no direct insight into vendor-customer relationships or financial transactions and instead rely on the effectiveness of pure social engineering to be successful.

Stopping Financial Supply Chain Compromise

Whether threat actors compromise a vendor email account or simply impersonate an external third party, the fact remains that financial supply chain compromise works. Using a vendor identity provides an effective cover for attackers, and because targets are often less familiar with their vendors, these attacks are much harder to identify than traditional CEO fraud.

Taking all of this into consideration, we see three key takeaways:

  1. Cybercriminals will continue to evolve and optimize their strategies to improve their chances of success.

  2. Advanced security measures are needed to protect against evolving threats.

  3. Without modern cybersecurity solutions, it’s not a matter of if there will be a successful attack but instead when one will occur.

All this points to one thing: now is the time to secure your environment—before cybercriminals start using your vendors to target you.


For even more insight into this shift to vendor-focused impersonation, download our latest threat intelligence report.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More