When it comes to cybercrime and security threats, Vendor Email Compromise (VEC) is the big daddy of email fraud. It’s the type of attack most organizations are the least prepared for, and one they’re most likely to get hit by. Over the past 3 years, VEC has cost organizations over $26 billion. And it can be shockingly easy to execute.
Similar to VEC, BEC attacks involve the attacker impersonating a higher-up executive at the organization, sending emails to a newly hired employee, often in the financial department. They request fund transfers or payments of fake invoices, which if executed well enough, can convince a less experienced employee to initiate the transaction.
You can see why BEC is such a huge problem among major organizations. It’s difficult to monitor the activities of all your employees, and the less experienced ones are more prone to falling for an email that seems to be coming from their boss or CFO. When organizations asked us what’s the most dangerous cyberattack they needed to watch out for, our answer was always BEC.
That is, until Silent Starling.
Organized Cybercrime Syndicate
The so-called Silent Starling is a group of Nigerian cybercriminals with a history in scams and fraud going as far back as 2015. In July 2019, they engaged with a major organization, impersonating the CEO of one of their business partners. The email asked for a sudden, last minute change in bank details, requesting an urgent wire transfer.
Thankfully, they discovered the email was fake before any transaction occurred, but in the ensuing investigation, the disturbing details of the group’s methods came to light.
In what’s now being called Vendor Email Compromise (VEC), the attackers launch a significantly more elaborate and organized attack than typically happens in conventional BEC. The attack has 3 separate, intricately planned-out phases that seem to require a lot more effort than what most BEC attacks usually require. Here’s how it works.
VEC: How to Defraud a Company in 3 Steps
Step 1: Breaking in
The attackers first gain access to the email account of one or more individuals at the organization. This is a carefully orchestrated process: they find out which companies lack DMARC-authenticated domains. These are easy targets to spoof. Attackers gain access by sending employees a phishing email that looks like a login page and steal their login credentials. Now they have complete access to the inner workings of the organization.
Step 2: Collecting information
This second step is like a stakeout phase. The criminals can now read confidential emails, and use this to keep an eye out for employees involved in processing payments and transactions. The attackers identify the target organization’s biggest business partners and vendors. They gather information about the inner workings of the organization — things like billing practices, payment terms, and even what official documents and invoices look like.
Step 3: Taking action
With all this intelligence collected, the scammers create an extremely realistic email and wait for the right opportunity to send it (usually just before a transaction is about to take place). The email is targeted at the right person at the right time, and is coming through a genuine company account, which makes it next to impossible to identify.
By perfectly coordinating these 3 steps, Silent Starling were able to compromise their target organization’s security systems and nearly managed to steal tens of thousands of dollars. They were among the first to try such an elaborate cyberattack, and unfortunately, they’ll certainly not be the last.
I Don’t Want to Be a Victim of VEC. What Do I Do?
The really scary thing about VEC is that even if you’ve managed to discover it before the scammers could steal any money, it does not mean no damage has been done. The attackers still managed to get complete access to your email accounts and internal communications, and were able to get a detailed understanding of how your company’s finances, billing systems and other internal processes work. Information, especially sensitive information like this, leaves your organization completely exposed, and the attacker could always attempt another scam.
So what can you do about it? How are you supposed to prevent a VEC attack from happening to you?
1. Protect your email channels
One of the most effective ways to stop email fraud is to not even let the attackers begin Step 1 of the VEC process. You can stop cybercriminals from gaining initial access by simply blocking the phishing emails they use to steal your login credentials.
The PowerDMARC platform lets you use DMARC authentication to stop attackers from impersonating your brand and sending phishing emails to your own employees or business partners. It shows you everything going on in your email channels, and instantly alerts you when something goes wrong.
2. Educate your staff
One of the biggest mistakes even larger organizations make is not investing a little more time and effort to educate their workforce with a background knowledge on common online scams, how they work, and what to look out for.
It can be very difficult to tell the difference between a real email and a well-crafted fake one, but there are often many tell-tale signs that even someone not highly trained in cybersecurity could identify.
3. Establish policies for business over email
A lot of companies just take email for granted, without really thinking about the inherent risks in an open, unmoderated communication channel. Instead of trusting each correspondence implicitly, act with the assumption that the person on the other end isn’t who they claim to be.
If you need to complete any transaction or share confidential information with them, you can use a secondary verification process. This could be anything from calling the partner to confirm, or have another person authorize the transaction.
Attackers are always finding new ways to compromise business email channels. You can’t afford to be unprepared.