Vendor Email Compromise (VEC) is the latest type of phishing scheme that has been rapidly growing in popularity since the rise of remote work back in 2020. In this post, we’ll cover the basics of vendor email compromise, how it can impact your business, and most importantly – what you can do to mitigate the risk of VEC in your organization.
What is VEC?
Vendor email compromise occurs when an attacker gains access to a vendor’s email and uses that access to send messages to you or other members of your organization. The attacker impersonates a trusted third party and sends a malicious (but seemingly legitimate) email or emails to a target.
VEC goes beyond business email compromise (BEC) by impersonating the vendor to convince the target to pay invoices, reveal sensitive data, or grant access to corporate systems on a larger scale. VEC is a very sophisticated and personalized approach, making it that much harder to identify.
How Does VEC Work?
A VEC attack generally requires a deeper knowledge of relationships within an organization. To reduce suspicion of an outside agent,the attacker needs to have an understanding of project details, budgets, data, transactions, and schedules within the company. This takes a lot of time and effort for the attacker to research and understand, but it typically leads to a larger payout because they are able to act undetected for longer periods of time.
The 4 Stages of Vendor Email Compromise
Stage 1. The attacker gains access to a personal or company email account
Stage 2. Once inside, the attacker silently observes the company systems and communication
Stage 3. The attacker infiltrates the infrastructure
Stage 4. The attacker uses their new access to insert themselves into threads and begin creating fraudulent requests.
How You Can Identify and Avoid VEC
VEC can be hard to detect. The attacker will generally play multiple angles to establish their authority and seem legitimate to the untrained eye. These attempted attacks can go unnoticed for long periods of time if the vendor doesn’t know their systems are compromised, so attackers are motivated to engage in campaigns over a longer period of time, avoid urgent calls to action, and generally lay low to avoid arousing suspicion.
Here are a few actionable steps you or your organization can take to avoid being a part of a VEC attack:
- Flag suspicious URLs
- Verify all third party information and transactions with a formal review process
- Look out for any suspicious changes to sensitive information (such as bank account information, mailing address, etc)
- Keep your team educated on different types of scams and how attackers implement their techniques
- Acquire a security partner (like Geek Girl Tech!)
As our world continues to grow and technology advances further, it’s extremely important to protect yourself and your employees from attempted scams – but you don’t have to handle your security alone!
At Geek Girl Tech, we provide cyber security and IT support for small to mid-sized socially conscious companies, and we’d love to be a part of keeping you, your team, and your data safe. Get in touch with us to learn more about how we can assess your current security needs, manage your security in an ongoing capacity, or assist with a specific security issue. Book a call to learn more about working with Geek Girl Tech today.