Prevent Vendor Email Compromise
An organization’s security posture is only as strong as that of the suppliers that they do business with.
Keep your employees safe from compromised accounts belonging to suppliers, vendors and partners.
average cost of a vendor email compromise attack
chance of receiving a VEC attack each week
highest requested amount by VEC attack blocked by Abnormal
Understanding Vendor Email Compromise
Recognizing an Attack from a Compromised Vendor Account
This email passed traditional email security infrastructure because it comes from a legitimate email address. Upon closer examination, we see that:
While the email is from a known vendor, the sender has never before interacted with the recipient
The financial request is suspicious, given that a similar email was sent two days ago
The attached invoice has a different bank name and routing number from previous invoices
While traditional security measures would not stop this email, Abnormal can tell that the vendor is likely compromised and will block it.
Protect Your Organization from Compromised Vendor Email Accounts
Automatically Know Your Vendors
This message from Printers and More asks Oscar to pay an invoice, but Oscar just paid an invoice last week.
Using a real account from the vendor, this message asks the accounting team at Dunder Mifflin to pay a new invoice. Because the team knows that this is a real vendor, they assume that the invoice is legitimate.
Abnormal’s VendorBase auto-identifies and scores real vendors and partners based upon past email communications, and other signals gathered across the entire enterprise ecosystem. In this case, we understand that Printers and More is a real vendor, but determine that the account is compromised because the timing of the request for payment is unusual.
Continuously Assessing Vendor Risk and Reputation
Review of the email and the vendor database shows that this email is from a legitimate source, so Oscar may approve the payment.
Because Oscar knows that the team works with Printers and More, he would likely authorize payment, especially since the invoice is already past due.
Abnormal not only detects your vendors, we assign them a risk score based on domains spoofed, accounts compromised, and suspicious business. Because we know that Printers and More has a high likelihood of being compromised, we know that this email is malicious.
Inspect Content, Tone, and Attachments
The text of the email asks Dunder Mifflin to pay their past-due invoice immediately, or suffer legal action. However, the invoice includes new banking details.
Abnormal scans all attachments for suspicious information. In this case, we understand that the banking details are different from those typically associated with this vendor.
As a result, Abnormal realizes that the account is likely compromised and an attacker is instead using it to extract money from the vendor’s customers.
Prevent Invoice and Billing Fraud
If Oscar did not pay this invoice, the attacker may try other people at Dunder Mifflin, until he finds a more amenable contact.
Because the threat actor has access to the vendor’s email account, he knows who he can contact other contacts at Dunder Mifflin. He may try this tactic on multiple people throughout various departments until he finds someone willing to pay the fake invoice.
Abnormal recognizes this behavior and blocks all suspicious emails from the sender, preventing invoice fraud across the entire Dunder Mifflin organization. This continuous monitoring of the vendor to assess risk scores through VendorBase also ensures that other Abnormal customers are safe from this compromised vendor account.