GF 08 720x478 2x

Prevent Vendor Email Compromise

An organization’s security posture is only as strong as that of the suppliers that they do business with.

Keep your employees safe from compromised accounts belonging to suppliers, vendors and partners.

$183,000

average cost of a vendor email compromise attack

Abnormal Security, 2021

82%

chance of receiving a VEC attack each week

Abnormal Security, 2021

$1.6m

highest requested amount by VEC attack blocked by Abnormal

Understanding Vendor Email Compromise

Vendor email compromise is unique in that attackers target trusted vendors and partners with credential phishing campaigns. Once they receive access to the account, they use that email to trick businesses into paying fake invoices or updating billing information, costing them millions each year. In these attacks, the threat actor:

1.

Creates a credential phishing campaign targeting your vendor or partner

2.

Receives valid credentials and infiltrates vendor accounts

3.

Sends an email from the account with a fake invoice or updated billing details

4.

Receives funds from the victim because they believe the threat actor to be their vendor

07 VEC 01 Vendor Email Compromise 2x

Recognizing an Attack from a Compromised Vendor Account

This email passed traditional email security infrastructure because it comes from a legitimate email address. Upon closer examination, we see that:

  • While the email is from a known vendor, the sender has never before interacted with the recipient

  • The financial request is suspicious, given that a similar email was sent two days ago

  • The attached invoice has a different bank name and routing number from previous invoices

While traditional security measures would not stop this email, Abnormal can tell that the vendor is likely compromised and will block it.

Protect Your Organization from Compromised Vendor Email Accounts

Vendor Email Compromise 01 2x

Automatically Know Your Vendors

This message from Printers and More asks Oscar to pay an invoice, but Oscar just paid an invoice last week.

Using a real account from the vendor, this message asks the accounting team at Dunder Mifflin to pay a new invoice. Because the team knows that this is a real vendor, they assume that the invoice is legitimate.

Abnormal’s VendorBase auto-identifies and scores real vendors and partners based upon past email communications, and other signals gathered across the entire enterprise ecosystem. In this case, we understand that Printers and More is a real vendor, but determine that the account is compromised because the timing of the request for payment is unusual.

Vendor Email Compromise 02 2x

Continuously Assessing Vendor Risk and Reputation

Review of the email and the vendor database shows that this email is from a legitimate source, so Oscar may approve the payment.

Because Oscar knows that the team works with Printers and More, he would likely authorize payment, especially since the invoice is already past due.

Abnormal not only detects your vendors, we assign them a risk score based on domains spoofed, accounts compromised, and suspicious business. Because we know that Printers and More has a high likelihood of being compromised, we know that this email is malicious.

Vendor Email Compromise 03 2x

Inspect Content, Tone, and Attachments

The text of the email asks Dunder Mifflin to pay their past-due invoice immediately, or suffer legal action. However, the invoice includes new banking details.

Abnormal scans all attachments for suspicious information. In this case, we understand that the banking details are different from those typically associated with this vendor.


As a result, Abnormal realizes that the account is likely compromised and an attacker is instead using it to extract money from the vendor’s customers.

Vendor Email Compromise 04 2x

Prevent Invoice and Billing Fraud

If Oscar did not pay this invoice, the attacker may try other people at Dunder Mifflin, until he finds a more amenable contact.

Because the threat actor has access to the vendor’s email account, he knows who he can contact other contacts at Dunder Mifflin. He may try this tactic on multiple people throughout various departments until he finds someone willing to pay the fake invoice.

Abnormal recognizes this behavior and blocks all suspicious emails from the sender, preventing invoice fraud across the entire Dunder Mifflin organization. This continuous monitoring of the vendor to assess risk scores through VendorBase also ensures that other Abnormal customers are safe from this compromised vendor account.

Trusted by Global Enterprises

HOMEPAGE DEMO 630 X480

See an Abnormal Product Demo

Related Resources

Whitepaper cover 2
Vendor email compromise attacks can cause substantial financial loss through invoice or payment fraud. Learn how and why attackers leverage compromised accounts from vendors to launch attacks that are specifically designed to bypass traditional email security.
Read More
Video 1
With Abnormal, security teams can now eliminate redundant email gateways and enhance Microsoft's built-in security capabilities. Once integrated via one-click API, Abnormal automatically profiles your VIPs and employees, their behavior, relationships, communication patterns...
Read More
Threat report 3
Read the Q1 2021 threat report to learn the latest on vendor email compromise, including which scams are most successful and why the volume of attacks has grown so significantly.
Read More
Blog yellow tunnel
Vendor email compromise, in which a compromised vendor sends invoice or payment attacks to their customers, is growing in popularity. An easier to detect method of this attack happens when a vendor is impersonated, rather than compromised. In this attack, the...
Read More
Blog rising buildings angle
The prolific attack on SolarWinds and their partner ecosystem will forever change how we view supply chain security and the role email communication plays in it. As the events and details surrounding the attack continue to unfold, we have learned from the company itself...
Read More
Webinar cover 3
While you may be confident in your own email security, the truth is that your security is only as good as the security of your partners and vendors. Discover why vendor email compromise is such an important part of your security strategy.
Read More