New Vendor Email Compromise Attack Seeks $36 Million

Stu Sjouwerman | Mar 24, 2023

Vendor Email Compromise AttacksThe details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam.

It’s not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes.

This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor’s domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there’s the now-obvious problem with it looking very much like .com to the cursory glance).

The email attaches a legitimate-looking payoff letter complete with loan details:

image-4

Source: Abnormal Security

According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT).

This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, the user needs to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through continual Security Awareness Training.

Discover Your Organization’s Exposed Email Attack Surface

Cybercriminals constantly scan the deep web and thousands of breach databases to find exposed employee identities, credentials, and passwords to launch targeted social engineering attacks. Run our free Email Exposure Check Pro (EEC) to safely uncover your at-risk users and see what your organizational structure looks like to an attacker before they exploit it.

Get Your Free Email Exposure Report

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.