Definition
Vendor email compromise (VEC) is an online scam where hackers target vendors’ email accounts and use them to send fake invoices to clients.
How Vendor Email Compromise Functions
- Hackers initially compromise a vendor’s email system. They can use spear phishing, keyloggers, credential stuffing, or other similar methods to do that.
- After access, they trace emails to learn the billing cycles, vendors, and normal invoice amounts.
- The attacker uses the hacked account or email address to share fake invoices to a vendor’s customers, with updated bank information.
- Innocent customers pay the invoices, transferring money to the perpetrator’s account.
Example of a Vendor Email Compromise
A city government gets what appears to be a genuine invoice from its construction vendor. The only variance is the slightly altered bank account information. Since the city officials trust the vendor, they send a substantial amount of funds. It takes the legitimate vendor following up on the unpaid invoice for the city officials to know they have been scammed.
Dangers of Vendor Email Compromise
- Financial loss: Companies may experience substantial cash losses.
- Loss of trust: Both the client and the vendor may suffer reputation damage, degrading trust.
- Data breach: Cybercriminals may gain access to crucial company data when surveilling emails.
- More compromise: The breach may extend beyond email, as the perpetrators could likely gain deeper access to an organization’s network.
How to Safeguard Against Vendor Email Compromise
- Advanced anti-phishing platforms use artificial intelligence and machine learning to identify and block malicious emails from entering an organization’s network or reaching users’ inboxes. This helps protect vendors from being compromised.
- Security awareness training teaches users how to detect and respond to phishing emails and how to report them to relevant authorities. It also covers safe browsing and password security, which safeguards vendors from email compromise.