More Cybercriminals Today Use Vendor Email Compromise Attacks

There has been an increase in the number of business email compromise (BEC) attacks in the United States. According to Symantec, an average of 6,029 businesses received BEC emails in the last 12 months and the FBI’s figures indicate that losses of attacked entities due to this scam amounts to $1,297,803,489 in 2018.

In BEC attacks, attackers gain access to business email accounts and use them to launch more attacks on the organization. Some BEC attacks are involved with acquiring sensitive data like W-2 forms that can be used in tax fraud, though mostly the attackers try to utilize the accounts to set up fraudulent wire transfers. After accessing the email account of a CEO or other executives, the attacker sends messages to the payroll section to reroute payments or to order/make wire transfers to the accounts of the attacker.

Agari published this week details of a new BEC attack trend: Vendor email compromise attacks. Just like other types of BEC attacks, these attacks entail highly realistic emails to request payment of invoices, however, the company whose email accounts were compromised is not the victim of this attack. Those accounts are employed to attack the clients of the company.

The vendor email compromise attacks begin with a spear-phishing email directed at the CEO or CFO. After the attacker gets the credentials, he/she accesses the account and adds mail-forwarding rules. The attacker then gets a copy of each received and sent an email without the account holder knowing about it.

For a time frame of weeks or months, the attacker studies the emails and learn about client billing cycles and typical invoice amounts. The attackers learn the email format, get the pertinent logos, and utilize this data to make very realistic bogus invoices for the right amount at the correct time.

The attacker sends the invoice requests just a couple of days prior to payment would normally be made. The one point that distinguishes a real request from a fraudulent one is a different bank account than the usual.

The attacks are usually done on small to medium-sized companies like those that supply products or services to bigger firms. Each compromised email account can be used for sending fake invoices to a lot of the company’s clients, increasing the possible payout. The requests are amazingly realistic that it is less likely to make anyone suspicious. The timing, the context, the communication from the supposed vendor and the invoice itself look totally legit… that is why this sort of attack is very effective.

Employees have a hard time identifying these attacks as all the common signs of bogus emails are missing. You won’t see spelling or grammar mistakes and the emails are dispatched from real – not fake – email accounts.

Agari has been monitoring the activity of the cybercriminal group called Silent Starling that is utilizing this newer strategy. Since 2018, Silent Starling has carried out more than 500 known attacks involving about 700 compromised employee email accounts. A lot of other cybercriminal teams are using similar strategies.

It is expected that VEC will become the largest threat for businesses worldwide in the next 12-18 months. These scams will continue to increase.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at