Business email compromise (BEC) attackers are more frequently impersonating third-party vendors and suppliers in order to trick unwitting victims to send them money, marking a significant shift from traditional BEC attacks where attackers instead impersonated company executives and other employees within a victim's organization.
New research from Abnormal Security found that attacks that impersonated third-party vendors made up over half (52 percent) of all BEC attacks in May, and overtook internal employee impersonation attacks for the first time starting in January. The number of more traditional BEC attacks that impersonate internal employees, meanwhile, dropped 17 percent year-over-year. One of the most popular third-party vendor impersonation BEC tactics, which researchers have termed vendor email compromise, has been around for years and involves attackers pretending to be vendors either through compromising their email accounts or through spoofing their email addresses, and then convincing their customers or suppliers to transfer payments.
While researchers have previously highlighted vendor email compromise attacks, the fact that this tactic is now overtaking traditional BEC attacks “is an important milestone in the evolution from low-value, low-impact attacks like spam to high-value, high-impact attacks that can cost thousands of dollars,” said researchers with Abnormal Security in a Wednesday report.
The impersonation of third-party vendors can amount to more money than traditional BEC attacks - in some cases, more than two to three times higher, said researchers. In fact, researchers found that the average vendor email compromise attack cost businesses $183,000, and the highest amount requested so far reached $2.1 million. Vendor email compromise also widens the net for reaching more victims. If attackers compromise a “high-value” target at a vendor or supplier company, such as an accounts payable specialist, they can access their lists of customers or vendors. Threat actors can then launch thread hijacking attacks against these companies from the compromised email of the third-party vendor or supplier, asking them to arrange a wire payment.
“We’ve seen this shift… for a number of reasons, most notably because it gives threat actors a plethora of additional trusted identities to exploit,” said researchers. “Even the smallest businesses likely work with at least one vendor, and larger companies have supplier numbers in the hundreds or thousands.”
“For vendors and suppliers, it's critical to prevent the initial email or data compromise that leads to the second stage of a financial supply chain compromise attack that targets their customers.”
Meanwhile, employees at businesses have become increasingly aware that executives are unlikely to email them with financial requests, making internal employee impersonation attacks less effective. At the same time, vendor email compromise attacks are difficult for victims to detect because targets are often less familiar with their vendors, and because the initial compromise, which affects the third-party vendor, does not occur on the downstream targeted companies themselves. Vendor email compromise also paves the way for trickier social engineering tactics: Attackers may have access to a number of real documents - such as actual copies of vendor’s invoices or other financial documents stolen from the compromised inboxes - that can help them convince victims that the attack is legitimate.
Attackers are branching out with several types of attacks similar to vendor email compromise that focus on the web of relationships between suppliers, vendors and customers. These include attacks that impersonate a supplier’s executive and then use stolen information about outstanding payments to target the supplier’s customers and request that these outstanding payments be sent to an attacker-controlled account, for instance. Overall, BEC attacks have been around for decades, yet they still represent one of the top types of cybercriminal attacks that pose a formidable threat for businesses. That’s because BEC attacks work: The FBI’s Internet Crime Complaint Center (IC3) this year revealed that BEC (and email account compromise) victims reported nearly $2.4 billion in losses in 2021, a 28 percent increase over the previous year.
Crane Hassold, director of threat intelligence at Abnormal Security, said that vendor email compromise attacks continue to grow in overall volume year after year, and he sees that growth continuing in years to come.
“For vendors and suppliers, it's critical to prevent the initial email or data compromise that leads to the second stage of a financial supply chain compromise attack that targets their customers,” said Hassold. “The biggest problem is that, many times, the vendors that are compromised as part of a financial supply chain attack are small companies that don't have budgets to dedicate to robust email defenses, which makes the solution much easier said than done.”