Agari’s latest Email Fraud & Identity Deception Trends report highlights the growing threat of vendor email compromise (VEC), according to SecurityWeek. This is a variety of business email compromise (BEC) attack—also known as CEO Fraud— in which attackers gain access to email accounts at a company in the supply chain, and then use the accounts to target that company’s customers. PS, did you know that KnowBe4 has an extensive glossary with hundreds of these terms?
The attacks involve a reconnaissance phase in which the scammers quietly observe a company’s payment routines and identify a lucrative contract to target. Eventually, they’ll craft emails that perfectly imitate the real emails they’ve seen the company’s employees sending to their customers. The attackers will then send these emails from the hacked email account to request payment from the target company. These invoices are for the correct amount of money and appear identical to the real invoices, but they direct the money to the attacker’s bank account.
Armen Najarian, Agari's chief identity officer, told SecurityWeek that VEC attackers usually go after companies that have expensive contracts.
“Generally, these sophisticated attackers are looking for deep pocket, big contract scenarios – think of the supply of a major part of a component for an aircraft manufacturing process that is potentially hundreds of thousands of dollars,” Najarian said.
While VEC scams use the same tactics as other BEC attacks, they are much more lucrative. Najarian said attackers have already realized this, and Agari expects vendor-focused attacks to surpass other BEC attacks next year.
“We are seeing a notable shift in the focus from threat actor groups into this type of attack, primarily because the payout is much bigger,” Najarian said. “On average, a BEC CEO fraud attack will generally pay out in the $50,000 to $55,000 range, but a successfully executed VEC attack will pay more than double at around $125,000 on average.”
Companies need to have processes in place to ensure the legitimacy of transactions, and employees need to be trained to recognize suspicious behavior. New-school security awareness training can give your employees the ability to prevent these attacks. SecurityWeek has the story: https://www.securityweek.com/vendor-email-compromise-latest-identity-deception-attack