Vendor Email Compromise
We’ve talked about Business Email Compromise in the recent past. It’s when a cyber criminal poses as an authority figure within a company and misdirects funds or valuable information. The damage could be millions of dollars routed to a scammer’s bank account or employee W-2s sent to a scammer’s email account. Today, we are going to focus on an offshoot of BEC: Vendor Email Compromise.
Vendor Email Compromise works very similarly to BEC, except that the scammer poses as a vendor rather than an executive within the company. When you work with a vendor you expect an invoice, right? This makes it an ideal relationship to corrupt.
The Long Game
Patient criminals will gain credentials of vendor accounts through typical phishing scams. This might be an email with a link that directs the user to a falsified login screen, thus capturing login information. Once the scammer has access to the vendor’s inbox, he can set up automatic forwarding of client email and monitor their communications. The scammer might spend weeks or months gathering enough information about contracts, pricing, timing, language and other elements to deliver an extremely plausible invoice via email. When an invoice comes from a trusted contact, looks just like the previous invoice, and is expected after a project, it can be easy to overlook a new bank account routing number. And that’s exactly what the scammer wants.
Scammers are working smarter and harder to steal from businesses. We must stay vigilant when conducting business online. The first step is looking at our email with a critical eye, especially when they contain requests for money or sensitive information. The next step is creating or enforcing defined processes when working with sensitive information or sending payments. This could be a phone call or in-person confirmation of the request. Spend the extra time to confirm validity of all sensitive requests!