All businesses rely on email to some extent. Email based attacks against businesses are therefore a powerful tool for cybercriminals. They are also difficult to protect against because they only require one person in a company to interact with, and fall for, them.

Phishing emails are the most obvious. During a phishing attack, an employee is asked to click on a link and their password is stolen when they do so. But businesses also need to look out for more sophisticated attacks.

Vendor Email Compromise (VEC) is a new attack that's based on business email compromise. So what is it and how does it work?

What Is Business Email Compromise?

Business Email Compromise (BEC) attacks typically involve the impersonation of high level employees. The attacker first learns enough about a business to know who works there. This isn't difficult to do because businesses often share a lot of this information online.

The attacker creates an email address that includes the name of the CEO and contacts an employee impersonating that person. The employee will then be asked to make an urgent bank transfer. The email will include both a plausible reason for doing so and a sense of urgency.

The attack relies on the fact that employees will often make the transfer out of fear of being fired or otherwise facing repercussions.

What Is Vendor Email Compromise?

graphic of phishing hook stealing login credentials

VEC attacks are a type of BEC attack. Unlike traditional BEC attacks, they specifically target vendors. Vendors typically work with a large number of different businesses. The idea is that if an attacker can successfully impersonate a vendor, they can then steal from all of those firms.

VEC attacks require more work and take longer to implement. But depending on the size of the vendor, the profits can also be significantly higher.

While an employee might question why their boss suddenly wants them to make a large bank transfer, it's often perfectly normal for a vendor to make this request in the form of an invoice. A VEC attack also often targets multiple businesses whereas a BEC attack only targets one.

How Does VEC Work?

There are many variations of vendor email compromise and the amount of effort that's applied depends on the size of the vendor and the potential pay-off. Most VEC attacks, however, include the following phases.

Phishing Against the Vendor

A successful VEC attack begins by attempting to access email accounts associated with a vendor. This is typically achieved by sending phishing emails to employees of the business. If an employee allows their credentials to be stolen, the attacker can then access their account and begin the attack.

Learning About the Vendor

Once credentials are stolen, the attacker can log into the employee's email and gain information about the company and its customers. The attacker needs to understand how often invoices are sent out, what they look like, and who they are sent to.

During this phase, the attacker usually forwards all emails from the legitimate account to their own. This allows them to keep track of the business without continuing to access the account. This is necessary because the information required to commit the attack often takes many weeks to acquire, and they can stay under the radar.

Contacting the Vendor's Customers

After sufficient information is gathered about the vendor, the attacker can attempt to impersonate them. The attacker may use the vendor's email address which they already have access to. Or they may create a new email address which is similar to that of the vendor.

They will then contact customers and request that large bank transfers be made. At this point, the scammer understands both how legitimate emails appear and what sort of transfer requests make sense. This allows them to create emails which are highly realistic.

Many businesses will pay the invoice automatically without requesting verification.

What Happens if You Are a Victim of VEC?

Vendor email compromise affects two parties, namely the company and their customers.

While the vendor can suffer harm to their reputation, they do not lose any money directly to the attackers. Information is stolen from their email accounts, but this information is used to steal money from other people.

The primary victims of this attack are the customers. The amount that they lose is dependent on how much they usually pay the vendor and whether the attacker is capable of getting them to send more than that amount. Because the attackers are anonymous, it's usually impossible to recover the payment.

How to Protect Against VEC

email app icon on a smartphone

Both vendors and their customers can protect themselves from VEC attacks by increasing employee training and changing how emails are accessed.

Train Employees to Identify Fraudulent Emails

This type of attack becomes significantly more difficult if the employees working for both the vendor and their customers are trained to detect fraudulent emails. All employees should understand the threat posed by phishing.

Any email that includes an invoice should also face additional scrutiny before any payment is made. The emails sent to the vendor's customers are often realistic and sent out at the usual time. But they can still be detected because either the email address won't match or the payment is being requested to a different bank account.

Implement Two-Factor Authentication

Two-Factor Authentication (2FA) can protect against phishing. Once added to an account, it prevents anybody from logging in unless they have access to the 2FA device.

This prevents VEC attacks from occurring because even if an employee provides the attacker with their password, the attacker won't be able to use it.

Vender Email Compromise Is an Important Threat to Understand

Vendor email compromise is a new type of business email compromise that all vendors and their customers should be aware of. It is particularly problematic for companies that often pay significant sums of money to their vendors—but vendors, themselves, should also be aware of the potential damage to their reputation.

Like most email-based attacks, VEC relies on business employees not knowing how to identify fraudulent emails. It can therefore be prevented with increased training. Simple but effective.