Vendor Email Compromise Attacks Are the New Tactics of Cybercriminals


There has been a rise in the volume of business email compromise (BEC) attacks in the U.S. As per Symantec, about 6,029 businesses got BEC emails in the last year and the FBI’s statistics show that losses of attacked businesses resulting from this scam totals $1,297,803,489 in 2018.

In BEC attacks, attackers get access to business email accounts and utilize them to launch other attacks on the business. Certain BEC attacks are associated with getting sensitive information including W-2 forms to be used in tax scams, while generally, the attackers try to employ the accounts to make fraudulent wire transfers. After being able to access the email account of a CEO or other officers, the attacker transmits communications to the payroll unit to redirect payments or to order/make wire transfers to the attacker’s account.

Agari posted this week information about a new BEC attack development: Vendor email compromise attacks. Much like other types of BEC attacks, these attacks use very realistic emails to ask for payment of bills, although the firm whose email accounts were compromised isn’t the casualty of this attack. Those email accounts are utilized to hit the buyers of the firm.

The vendor email compromise attacks start out with a spear-phishing email aimed towards the CFO or CEO. As soon as the attacker obtains the credentials, he/she logs into the account and inputs mail forwarding protocols. The attacker then obtains a clone of all sent and received email without the email account holder being aware of it.

For a time period of months or weeks, the attacker analyses the email messages and understand the purchaser billing process and usual invoice price. The attackers examine the email format, acquire the applicable logos, and employ this fact to produce remarkably realistic counterfeit invoices for the correct amount at the proper time.

The attacker transmits the invoice requests just several days earlier than when payment will typically be made. The one detail that differentiates a legitimate request from a fraudulent one is a different bank account than the typical.

The attacks are frequently executed on small to medium-sized firms, for instance, those that deliver items or services to larger sized businesses. Every compromised email account may be used for submitting bogus invoices to a number of the company’s consumers, raising the prospective payout. The requests are astonishingly realistic that it is less probable to make anybody doubtful. The timing, the circumstance, the message from the expected vendor and the invoice itself look absolutely authentic… so this kind of attack is really successful.

Employees have a tough time pinpointing these attacks because all the usual signs of fake emails are not seen. You won’t see spelling or grammar errors and the emails come from legitimate – not hoax – email accounts.

Agari has been keeping track of the action of the cybercriminal team called Silent Starling that is making use of this latest technique. Since 2018, Silent Starling has executed over 500 known attacks affecting close to 700 compromised employee email accounts. A number of other cybercriminal groups are using identical techniques.

It is likely that VEC will turn into the biggest threat for companies around the world in the following 12-18 months. These ripoffs will continue to grow.