What Is Vendor Email Compromise and How Can You Prevent It?

Vendor email compromise is a type of fraud involving third-party impersonation, financial gain, or for the purpose of stealing information.

Many companies will fall for vendor email compromise because they trust the information sent over email. The best way to combat this?

Do your due diligence: authenticate requests and take action when you receive suspicious emails. Don’t end up like Marriott hotels, which lost over 5 million guest records to cyberattackers when they compromised one of its vendor systems.

Vendor Email Compromise Prevention key takeaways:

• Vendor email compromise (VEC) involves threat actors who compromise your vendor email systems so that you’ll trust their approach for money or sensitive information
• It could work through phishing, CEO impersonation or with fake invoices
• You may already recognise the term business email compromise – VEC is a more specific version of this attack
• VEC is dangerous because fraudsters spend months in preparation to make the scam more successful, and can go undetected for weeks, leaving businesses vulnerable
• Prevent VEC with system security, training and automated protection platforms like Trustpair

What Is Vendor Email Compromise (VEC)?

Vendor Email Compromise (VEC) is an elaborate type of cyberattack, aimed at taking advantage of trusted third-party relationships. 

Fraudsters impersonate known vendors in order to takeover systems, redirect payments to their own accounts or to gain sensitive information. As it happens by email, the incoming messages are a concentrated type of the wider umbrella term: business email compromise (BEC scams).

It relies on manipulation tactics, pressuring victims into believing that they have to act quickly, or are truly dealing with someone from their supply chain. The compromised account angle takes lots of research to accurately impersonate, and mimic the tone and communication patterns of trusted senders.

How Does Vendor Email Compromise Work?

Vendor email compromise works in three main steps:

1. The attacker gains access to vendor’s domain systems of their target organisation
2. The attacker contacts their victim via their business email account impersonating the vendor
3. If successful, the victim shares confidential information back to the vendor’s email account (data breach), access to their system or follows payment instructions to benefit the attacker

While each vendor impersonation attack follows this general structure, each of the steps can be performed differently, depending on the attacker’s approach.

For example: the attacker may not actually gain access to the target vendor’s systems. Instead, what commonly happens is that the fraudster creates a similar email address, changing just one letter or adding some punctuation in hopes that their victim doesn’t realise. This is known as domain spoofing. It’s the difference between marketing@trustpair.com and marketimg@trustpair.com – hardly noticeable for someone busily doing their job. Then, they put together some good branding and convincing messaging to perform invoice fraud.

Similarly, the way that the BEC attacker carries out their ruse to achieve supply chain compromise could vary. Once inside the system, some scrape the data to learn about how their target communicates in order to make their message more convincing. Others opt for social engineering, using pressure tactics to panic the victim into taking action.

Common Examples of Vendor Email Compromise Attacks

Spear phishing for account takeover

One of the most common types of vendor email compromise is through spear phishing. Attackers will create a realistic fake of your vendor’s system, emailing you with a false scenario to prompt a new log in. For example, by claiming that their systems went down, or that you must log in again (clicking on malicious links) due to routine security protocols.

These email threats lead to credentials harvesting – the perpetrators can see exactly what you type into their fake landing page and use the same details to log into your accounts. If they catch you in real-time, they may also bypass two-factor authentication (2FA). By having you type the code sent to your phone or email address straight into another fake page, it renders the fraud successful.

Once inside, the fraudsters can lock you out of these accounts by changing the details, and depending on your account privileges, to:

• steal data
• hold your account for ransom
• or siphon off money to themselves

A real-life example of a phishing attack occurred at Change Healthcare through a fraudulent vendor email communication and technical vulnerabilities. It led to the workers disclosing sensitive information, exposing the medical data of approximately one third of the US population. The credentials harvesting attack resulted in a $22 million ransom paid by Change Healthcare’s parent company, and it took systems weeks to recover.   

Fake or altered invoice

The attackers could also produce a new fake invoice, sending it from the vendor account to their partner’s accounting department. It would look similar to the real vendor’s invoice, but switch the payment details for their own.

This is a high-risk strategy, reliant on knowing which goods or services were used during the payment period so that the invoice itself doesn’t raise any suspicion with accounts payable.

A more foolproof way is for the perpetrators to jump onto an ongoing email thread, replying with a ‘change of bank details’ notice instead. With the information such as the product or service type, volume and payment terms handled, the attackers only have to change the account details to their own.

This commandeers an already ongoing communications thread, making the attack look more believable and is less likely to raise suspicion with security teams.

How Is Vendor Email Compromise Different from Business Email Compromise (BEC)?

Vendor email compromise is a type of business email compromise, but they are not the exact same.

Typically, BEC cyber attacks are less researched (or more of a chance attack), while VEC requires a detailed understanding of the specific vendor relationship. Both types of cyberattack can use impersonation tactics, but those going after VEC need to know about payment structures, frequency and the existing partnership.

While the research and preparation time can be more intensive than BEC campaigns, the pay off can also be greater.

Why Is Vendor Email Compromise So Dangerous for Businesses?

VEC is so dangerous for businesses precisely because of perpetrators’ extensive preparations. The business communication feels far more ordinary for the victim, like contact with legitimate vendors, which is both convincing in itself and raises less suspicions than other scam attempts.

Fraudsters can spend months preparing for their phishing campaigns, taking the time to properly learn about the partnership, and the person they intend to impersonate. This knowledge is the key to making identity theft believable.

Moreover, perpetrators are often practiced in social engineering tactics such as time pressure or role-based power plays. They play on the fact that the finance department are more likely to fulfill urgent financial requests or access requests on behalf of the C-suite, for example. These tactics encourage victims to choose to ignore any suspicion they feel, failing to step away and take a moment to consider whether the request is legitimate.

Often, the scams go undetected for weeks, or even months. Realistically, the only scenario where both parties realise is when the real vendor reaches out to finance teams. But by the time they haven’t been paid, it’s far too late.

What should a business do if it falls victim to vendor email compromise?

No matter how much you train employees, you may still fall victim to vendor email compromise. There are four key steps to take:

1. Secure your accounts: lock down your systems email security access and stop making any further payments to kick out unauthorized participants.
2. Contact your vendors: let them know they need to secure their systems. If your vendors have been duped, you may have been too, meaning that the entire supply chain could have been compromised.
3. Perform security investigations, checks and changes: enforce password changes, upgrade security systems and update your policies in order turn your security from reactive to a long-term plan. Conduct an investigation to figure out what happened, find your vulnerabilities and protect anything that could be exploited.
4. Ongoing prevention: systems monitoring and training for all employees are two important ways to prevent future VEC attacks. Stay vigilant against ‘updated banking details’ claims. For more robust protection, consider automated solutions like Trustpair.

How Can Businesses Prevent Vendor Email Compromise?

Businesses can prevent this type of vendor fraud by securing and monitoring their systems, training staff to recognize this type of attack, and relying on automated solutions like Trustpair.

Securing and monitoring systems

Preventing vendor email compromise is easier when systems are highly secure in the first place. Implementing the following security controls and monitoring protocols can help to heighten the security, making it harder for unauthorized attackers to achieve their first step – access:

• Multi-factor authentication: requiring two or more forms of password or code makes it harder for attackers
• Strong password mandation: disabling common passwords in favour of mixed symbols, letters and numbers prevents hard-hacking
• Zero-trust security: require authentication for each and every access request, such as a phone calls procedure
• Activity logs: monitor the actions of users to maintain accountability and flag suspicious activity

Training staff to recognize VEC

Staff training is not a foolproof strategy. But with regular reminders and real-life examples of these types of scams, you can change employee behaviour over the long term, increasing the chances of your BEC defense.

Staff training can include:

• Interactive sessions to show staff what suspicions to look for and teach forwarding rules
• Sending test emails to simulate real threats and train behavioural reactions
• Frequent risk assessments so that all staff understand where they are vulnerable

Automated prevention

Automated tools can also stop vendor email compromise, especially with email authentication services and information verification tools, like Trustpair.

Domain authentication

Email authentication services use domain-based message authentication, reporting and conformance (DMARC) to automatically reject emails that fail the authentication process. This automatically locks your inbox against cyberattackers, reducing the risk of falling victim to spoofing and impersonation.

Information verification

Information verification tools like Trustpair are able to provide the first and last lines of defence. Even if it looks like a legitimate email account, double checking should be part of the standard process.

Initially, this means we take the information given to you by business partners, and authenticate it against robust external databases. From verified bank account number and sort code databases to international blacklists, our coverage ensures that you get a definitive answer on whether a new vendor is legitimate.

As for the last line of defence: it’s automated bank account controls, locking down your outgoing financial transactions when suspicious third party activity is detected. So even if fraudsters have managed to access your vendor systems and dupe your team members, your accounts are always protected.

Reflecting on Vendor Email Compromise

Vendor Email Compromise (VEC) is a sophisticated cyberattack where fraudsters impersonate trusted vendors to steal money or sensitive information. It exploits business trust and urgency to deceive employees into making payments. Prevention relies on strong system security, staff training, and automated verification tools like Trustpair.