A Classic Case of Vendor Email Compromise
Criminals are compromising emails to steal money from businesses, governments and institutions. Any organization can be a target: businesses of any size, health care organizations, education, and local and state governments. Recent headline cases include Ubiquiti Networks, Toyota Boshoku Corporation, and Scoular Company. And the U.S. territory Puerto Rico offers a classic vendor email compromise (VEC) example.
In the summer of 2019 scammers targeted Puerto Rican agencies through a devastating email compromise. The U.S. territory lost at least $2.6 million, though one source put the loss at $4 million.
How It Happened: Vendor Bank Account Change
It was a classic vendor email compromise (VEC) scheme. It started with a hack into a vendor. Then the criminals sent emails that appeared to be from the trusted vendor to several Puerto Rican agencies, indicating a change to the vendor’s bank account. The email looked convincing; agencies duly updated the vendor’s bank account information. Then they made payments to what they thought was the legitimate vendor. But the payments went into a criminal-controlled account.
Puerto Rico’s Employee Retirement System was the starting point. Hackers got into the computer of a finance employee, likely through a phishing attack. Once in, they posed as an employee of the Employment Retirement System (ERS). The hackers sent out the emails to several government agencies that pay into the retirement program notifying the agencies of a change to the vendor’s bank account.
One of the agencies then sent two payments totaling more than $2.6 million to the new bank account, per a police report. Another agency paid $1.5 million according to El Nuevo Dia, a Puerto Rico daily newspaper.
When a finance staffer at ERS called the agencies looking for overdue payments, the agencies discovered the deception.
The Hazard of Vendor Email Compromise
Vendor email compromise is not a simple phishing scam. It is a multi-step plan that can lead to a big payoff. It may begin with a typical business email compromise through a phishing attack, but the attack is on a vendor, not on the ultimate target(s).
[Phishing emails include such things as a notice of a received “fax document” that requires the recipient to click a link to access, resulting in a malware download such as a key-stroke tracker. Or a spoofed Microsoft or other common email warning of a “sign-in attempt” or security breach notice and urging the recipient to validate their email by clicking a link where they must log in with their credentials. See Criminal Business Email Compromise.]
According to Crane Hassold, senior director of threat research at Agari, the targeted vendors in the first stage are mostly small-scale operations that provide materials or services to larger companies. When the criminals gain access there, they can set forwarding rules within the vendor’s email system and ensure they receive a copy of all emails.
But that initial BEC target is merely a tool. Once the fraudsters gain access to the business, they then aim at their real targets: the clients or customers of the business whose email they’ve compromised.
They study the vendor’s emails to learn about the vendor’s billing, invoices, and customers. The fraudsters are then able to craft invoices and emails that look genuine.
Next, they move on to the main targets: the vendor’s customers. The VEC attack is more challenging to identify than a BEC attack. It looks like a legitimate communication from a trusted vendor. In fact, it often is an email from the vendor’s email server. Consequently, it appears less suspicious, and therefore is easier for organizations to fall prey.
The criminals send emails with phony or real invoices along with an account change request. This is the critical point for unsuspecting organizations: do they have and follow good controls? Do they verify account change requests, and how do they do it? Those without a sound process fall into the trap and wind up sending money to the criminals.
Hassold observes, “This new flavor of business email compromise attacks will proliferate because scammers have developed the ability to create authentic-looking invoices that can potentially produce a much greater windfall.”
Defend Yourself
Procedural safeguards can protect your organization from falling victim to VEC. Put them in place and follow them without exception.
Puerto Rico discovered it had many vulnerabilities in agency systems, including weak passwords, a lack of two-factor authentication, and inadequate procedures for independently confirming vendor change requests prior to updating vendor records. As a result of the government’s investigation, it has rectified those vulnerabilities.
The FBI recommends the following safeguards:
- Be suspicious of any unsolicited email or text asking you to update account information. Look up a phone number for the business that’s not in the email they sent and call the company to verify the request and information.
- Examine email addresses, website domain addresses, and spelling for errors that are similar to the actual business, such as substituting an l for 1 or adding extra punctuation.
- Do not open, click on, or download email attachments from people you don’t know, or in emails forwarded to you.
- Enable MFA (multi-factor authentication) whenever it’s available and use it.
- Set up a process to verify any account number or payment procedure change request by independently calling to make sure it’s legitimate:
- Confirm payment changes via phone using a phone number in your system (not a phone number in the email), to verify details of a bank account change. Never reply directly back to the email to confirm information.
Staff training in BEC, VEC, social engineering and other cybercrime techniques is a vital element in protecting your organization. Organizations must create a culture of awareness.
Puerto Rico and other victims of VEC have implemented changes to protect themselves from making such mistakes again; they are now much less vulnerable. But many organizations are behind the curve, and the cybercriminals are coming for them.
