Vendor email compromise (VEC) has rapidly gained recognition for its sophistication and potentially devastating impacts. While the malicious technique is a member of the business email compromise (BEC) family, it boasts a distinctive approach that warrants special attention.

Check out our course catalogue for our new VEC course

BEC attacks, you may recall, are infamous for using deceptive tactics to infiltrate organisations' email systems. This could be in the guise of a CEO's urgent email requesting immediate funds transfer, an HR representative asking for personal employee data, or any other scenario that takes advantage of trust built within an organisation.

VEC, however, takes a step further into the subtleties of deception. Rather than directly impersonating a company's internal email correspondence, it targets the external supply chain – the vendors. As the name implies, VEC attacks compromise vendor emails to exploit the established trust between businesses and their suppliers. In doing so, they create a more sophisticated, multi-layered form of BEC. A popular trick is to lie in wait, and then ask the customer to change payment details for future invoices, meaning the payment will go to the scammer instead of the vendor.

So, why is VEC so insidious and yet distinct? It all comes down to how the attack is staged. In VEC attacks, cyber criminals first infiltrate a vendor's email system, often silently observing to understand communication patterns, invoice schedules, and the nature of services offered. Once they've gathered enough intelligence, they strike at the perfect moment, sending fraudulent invoices or changing payment details to divert funds into their own accounts. This is a popular attack as smaller vendors generally will have less security awareness.  

It's also important to note that VEC is not always just a financial threat. It can also serve as a gateway to more severe attacks like ransomware or data breaches, thus potentially causing significant harm to an organisation's reputation and customer relationships.

Organisations should ramp up their defensive strategies against VEC accordingly. This may include rigorous vendor security assessments, including not doing business with an external company that can’t prove they are taking the appropriate precautions. Implementing advanced email filtering solutions and ensuring continuous employee education on cyber security best practices are a few ways you can protect yourself.  

As VEC continues to proliferate, a heightened awareness of its unique nature is critical for all stakeholders, from C-suite executives to employees at every level. If you don’t have a robust email triage system in place, talk to us today about Phish Focus – an automated filter and triage system that adds another layer of security to your arsenal.