It’s a common scenario: An employee receives an email or text message that appears to come from an executive asking if they are available to complete a task right away. Although the task is something they ordinarily aren’t asked to do—such as send a payment to an unknown vendor—the email seems to come from someone they know, and the tone of the email is urgent. What will the employee do? Often the answer depends on the training and information they have received.
Deconstructing the Scams
This type of phishing email is called a business email compromise (BEC) scam. These messages are often brief, urgent, and try to convince the victim to bypass normal policies and procedures. While automated security systems can be implemented to detect and block malicious links and attachments, emails used in a BEC scam rarely contain these elements, making it easier for them to bypass standard security measures.
Recent research has shown that the classic BEC attacks are evolving as criminals try a new technique—vendor email compromise (VEC). In a standard BEC attack, a cyber criminal poses as an executive and sends multiple phishing messages to employees within an organization. In contrast, VEC attacks are tailored to a specific individual connected to a vendor or other third party. VEC attacks require extensive amounts of reconnaissance, with the perpetrator often taking several weeks or even months to gather a solid understanding of the organization’s business relationships, projects, and financial processes.
The most common source of VEC is when criminals breach a vendor’s email system and gain access to communications between the vendor and its customers. This enables the criminal to send the email from the vendor’s own account, allowing it to bypass filters as the email originates from a known, valid account. Employees who have fiduciary responsibilities or handle sensitive company information are the most common targets, but keep in mind everyone deals with information that can be valuable to a cyber criminal, which means all employees are equally at risk.
It is becoming more common for cyber criminals to take advantage of the established trust between vendors and their customers to distribute phishing emails. With sender/recipient trust already established, this increases the risk of a user interacting with malicious emails stemming from third-party email compromise.
Please read on to learn how organizations and their employees can be protected from BEC and VEC attacks.
How Do BEC and VEC Attacks Work?
Cyber criminals follow a set of steps to successfully carry out these types of attacks. The table below explains the multiple stages of an attack:
| Business Email Compromise (BEC) | Vendor Email Compromise (VEC) |
| Identify the target within the organization.
Cyber criminals start the process by looking for a target. This often involves sifting through LinkedIn profiles, purchasing business email databases, and even searching for contact information on different websites. The cyber criminals collect information about their target that can be useful to shape the request in the email or text message. |
Send phishing emails to the targeted vendor in order to compromise the targeted vendor’s email account.
The initial phishing campaign launched is used to attack the targeted vendor. The goal is to successfully retrieve and use someone’s credentials from within the organization. Once the cyber criminals successfully gain valid credentials, they may now have unlimited access into the vendor’s email account. If the victim has multifactor authentication (MFA) enabled, cyber criminals will attempt to login continuously, hoping the victim will get frustrated and eventually approve the MFA prompt, granting them access |
| Create fake email accounts.
They may create phony email accounts that appear to be from an executive, such as “John Doe <[email protected]>” to send the email and make it look more legitimate. Alternatively, cyber criminals may create a lookalike domain. In this type of attack, criminals use a similar-looking email address to impersonate the company that they are attacking. Cyber criminals hope employees will respond to the urgency and not take a moment to spot the difference between their fake message and a real one.
|
Gather information to imitate the spoofed vendor employee’s account.
In contrast to BEC, at this stage the cyber criminals have successfully gained access to the vendor’s email account and are sifting through email threads and files—studying the behavior of the user’s compromised account. The cyber criminals have already compromised the vendor’s email account and are able to access clients/customers email addresses. They can deem who appears to be a client of significance or determine if there is an upcoming business deal that they will benefit from.
|
| Pose as an executive or someone with authority.
Cyber criminals typically pose as an executive of an organization. They know that many people are more likely to bypass established procedures to confirm if the request email is from an executive, as they are conditioned to act immediately.
|
Take control of the compromised account.
Cyber criminals can set up email rules to redirect certain incoming and outgoing emails from the compromised account to their own inbox. Often, the victim of the compromised account will not notice they’ve been compromised, as there are often no signs that someone is spying on their account. This stage is usually where the most time is spent by the cyber criminal, as this is where most of the reconnaissance occurs to fully execute the attack. |
| Elicit money or confidential information through a spear phishing campaign.
When they have identified their victims, the cyber criminals begin to send targeted phishing emails that appear to come from a trusted sender. They hope to manipulate the victims into sending money, buying gift cards, or revealing confidential information. |
Design and launch spear phishing campaign emails to the vendor’s clients and customers.
After completing extensive reconnaissance, the cyber criminals are now able to launch malicious phishing campaign to their identified target. Similar to the purpose of a BEC attack, the hope is to manipulate the victim so that they disclose sensitive information, divert payments, or send confidential client information.
|
How Can Organizations Be Protected?
Although BEC and VEC attacks are different forms of phishing, the same rules apply to both. It is important for employees to take the same precautions when receiving an unsolicited email from a trusted sender as they would with an unknown sender.
If an employee receives an email or text message with an urgent request—even if it’s from a trusted sender—they should not reply until they’ve verified the request by either texting or calling the sender at a known valid number. Instruct employees to never reply to or call a number that is included in a suspicious email or text; there is a strong possibility the number will connect to the cyber criminals who sent the message rather than to the purported sender.
Take these additional steps to protect your organization’s network and data:
- Train employees to pay particular attention to unexpected emails or texts, suspicious payment requests, or unusual attachments and links.
- VEC attacks are often convincing because of all the time the cyber criminal spent learning about the vendor, which could result in using the same email signature and branding within the email.
- Enforce a password policy. Educate employees to never type their password into a webpage that is generated from an email. Typing a network password into an unknown link could result in the password being compromised.
- Implement a proper security reporting channel. Ensuring employees are familiar with key points of contact, such as the organization’s IT and Information Security teams, will help the incident response process. If an employee receives a request for payment or for sensitive information about clients or employees, instruct them to verify the request with Human Resources and/or Information Security before proceeding.
- Advise caution when communicating with external recipients. Educate employees on the dangers of interacting with suspicious emails. Although more sophisticated cyber criminals may create email rules to redirect all incoming emails from the compromised account to their own inbox, it is imperative always to be vigilant and double-check sender addresses to guard against spoofed email addresses. Recommend employees take a quick glance at the recipient’s name in the “To” field. Employees should practice the same vigilance with text messages.
- Employees should be wary of an urgent tone of voice used in an email. Cyber criminals tend to use urgency and demand secrecy. If the sender is asking the recipient to act quickly, this is a major red flag.
Organizations should keep in mind that whether an employee is part of the corporate office or is customer facing is not important; to a cyber criminal, everyone in the organization has valuable information valuable. By following guidelines and best practices, organizations can keep their information as well as their clients’ information secure.
