Vendor email compromise: could you be the weak link?

How to avoid being the weak point in your supply chain

Addressing vendor email compromise (VEC)

Protecting your organization against cyber threats is essential.

And so is protecting others’, especially when they are your suppliers and customers.

Vendor email compromise (VEC) attacks are clever, and they’re on the increase. While bad actors are known to be targeting enterprises and MSPs, any organization with a supply chain can be a target. VECs don’t just attack your business: they target the customers and suppliers you work with, using detailed research into your business relationships.

Stage one: the phishing attack on your business

VECs start with a phishing attack on your organization. The aim of the attack is to get someone to click a link in a fake email to download malware into your system. This gives the attacker access to your email, and enables them to send apparently genuine messages to your customers and suppliers.

The attacker can also set up email forwarding rules, so they receive copies of messages intended for people within your company. This provides them with a wealth of data to use for further research for the next stage in the attack.

Stage two: the phishing attacks on your supply chain

Once the bad actor has access to your email, they send fake messages from your system to your upstream and downstream contacts. These phishing emails exploit the familiarity of the existing relationship between your company and those you do business with.

This social engineering will use information the attacker has learned about your processes, ways of working, and the target company. For example, if the aim is to obtain money through a fake invoice or request for a money transfer, the email could be carefully timed to match your usual billing cycle. This makes the request look genuine.

VEC attacks are designed to propagate ransomware or malware that can be used to steal data, raise fake invoices, or place fraudulent orders, and can be extremely difficult to spot. Attackers may not send phishing emails to every contact at once, but instead try different approaches until they find the one that is most effective.

What should you to do defend against VEC attacks

The best way to protect your business from VEC attacks is to detect and stop the initial phishing email from reaching your employees’ inboxes.

  1. Test your email security, and ensure you’re carrying out regular testing on an ongoing basis. Read the blog on email security testing, and use the free Libraesva test >
  2. Depending on the results of the test, you may want to look at improving your email security with an AI-driven solution (which is where we come in, as global award-winning email security specialists).
  3. Educate employees on email security, empower them to recognize and respond to phishing attacks, and embed good habits by conducting regular phishing awareness campaigns.

Exceptional Email Security for enterprise

Libraesva is the only email security platform to integrate cloud email and a secure email gateway with our unique AI-driven Adaptive Trust Engine that continually gathers intelligence to detect email anomalies and provide advanced protection from VEC and other email borne threats.

Want to find out more about protecting your organization from supply chain attacks?