Researchers at Abnormal Security have observed an increase in vendor impersonation in business email compromise (BEC) attacks.
“In January 2022, the number of attacks impersonating third parties surpassed those impersonating internal employees for the first time,” the researchers write. “This trend has continued each month since, with third-party impersonations making up 52% of all BEC attacks in May 2022.”
Abnormal Security notes that this tactic allows threat actors to target organizations of all sizes.
“We’ve seen this shift to what we’ve termed financial supply chain compromise for a number of reasons,” the researchers write. “Most notably is that the approach gives threat actors a plethora of additional trusted identities to exploit. Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands. And while the average employee has some level of familiarity with the company’s executive team, they may not have that same awareness of the organization’s entire vendor ecosystem—particularly in larger enterprises. Further, the vendor-customer dynamic has an intrinsic financial aspect to it, which means emails requesting payments or referencing bank account changes are less likely to raise red flags. All of these factors combine to make a perfect environment for exploiting end user trust.”
Despite the shift in impersonated entities, the criminals are still going after enormous amounts of money in these attacks.
“This shift to financial supply chain compromise is yet another important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars,” the researchers write. “Abnormal research found that the average vendor email compromise attack costs $183,000, and the highest amount requested thus far was $2.1 million.”
New-school security awareness training can teach your employees to recognize social engineering tactics so they can thwart these types of attacks.
Abnormal Security has the story.