woman sitting at desk working on computer

A Classic Case of Vendor Email Compromise

Criminals are compromising emails to steal money from businesses, governments and institutions. Any organization can be a target: businesses of any size as well as health care organizations, education, and local and state governments. Recent headline cases include Ubiquiti Networks, Toyota Boshoku Corporation and Scoular Company. And the U.S. territory Puerto Rico offers a classic vendor email compromise (VEC) example.

In the summer of 2019 scammers targeted Puerto Rican agencies through a devastating email compromise. The U.S. territory lost at least $2.6 million, though one source put the loss at $4 million.

Classic Vendor Email Compromise

It was a classic vendor email compromise (VEC) scheme. It started with a hack into a vendor. Then the criminals sent emails that appeared to be from the trusted vendor to several Puerto Rican agencies, indicating a change to the vendor’s bank account. The email looked convincing; agencies duly updated the vendor’s bank account information. Then they made payments to what they thought was the legitimate vendor. But the payments went into a criminal-controlled account.

One of the agencies then sent two payments totaling more than $2.6 million to the new bank account, per a police report. Another agency apparently paid $1.5 million. When a finance staffer at ERS called the agencies looking for overdue payments, the agencies discovered the deception.

The Hazard of Vendor Email Compromise

Vendor email compromise is not a simple phishing scam. It is a multi-step plan that can lead to a big payoff. It often begins as a typical business email compromise through a phishing attack, but on a vendor, not on the ultimate target(s).

Targeted vendors in the initial phishing stage are mostly small-scale operations that provide materials or services to larger organizations. Once the criminals gain access there, they can set forwarding rules within the vendor’s email system and begin spying on all vendor-customer emails.

They learn about the vendor’s billing, invoices and customers. The fraudsters are then able to craft invoices and emails that look genuine to send to the main targets: the vendor’s customers.
The VEC attack is more challenging to identify than a BEC attack. It looks like a legitimate communication from a trusted vendor. In fact, it often is an email from the vendor’s email server. Consequently, it appears less suspicious, and therefore is easier for organizations to fall prey.

The criminals send emails with phony or real invoices along with an account change request. This is the critical point for unsuspecting organizations. Do they have and follow good controls? Do they verify account change requests, and how do they do it? Those without a sound process fall into the trap and send money to the criminals.

Protect Yourself

Procedural safeguards can protect your organization from falling victim to VEC. Put them in place and follow them without exception.

Puerto Rico discovered many vulnerabilities in agency systems, including weak passwords, a lack of two-factor authentication and inadequate procedures for independently confirming vendor change requests prior to updating vendor records. As a result of the government’s investigation, it has rectified those vulnerabilities.

The FBI recommends the following safeguards:

  • Be suspicious of any unsolicited email or text asking you to update account information. Look up a phone number for the business that’s not in the email they sent and call the company to verify the request and information.
  • Examine email addresses, website domain addresses and their spellings for errors that are slightly different from the actual business, such as substituting an l for 1 or adding extra punctuation.
  • Do not open, click on or download email attachments from people you don’t know, and beware even of those you do—be sure it is the person you know.
  • Enable MFA (multi-factor authentication) whenever it’s available and use it.
  • Set up a process to verify account change requests by independently calling to make sure it’s legitimate, and never reply directly back to the email for confirmation.

Staff training in BEC, VEC, social engineering and other cybercrime techniques is a vital element in protecting your organization. Organizations must create a culture of awareness.

Puerto Rico had vulnerabilities it has since corrected. Many organizations, though, are behind the curve and the cybercriminals are coming for them.

To learn how VendorInfo can help you with bank account ownership verification and vendor onboarding without relying on email, contact us.

Lets Talk!

Please enable JavaScript in your browser to complete this form.