Vendor Email Compromise
It seems like every day ushers in a new type of cyber threat – the latest being the Vendor Email Compromise (VEC) attack. In this blog we will explore what makes VEC attacks so pernicious and how you can defend against them.
Whether your network perimeter is being penetrated, your encrypted data is being held to ransom, or you’re facing a sophisticated Business Email Compromise attack, every organisation has a responsibility to develop and implement defensive strategies that mitigate the risks.
But what happens when, despite implementing comprehensive security strategies, your organisation is confronted by a threat resulting from insecurities in your digital supply-chain?
After all, we live in a highly connected, digital world. You’d be hard-pressed to find any organisation that isn’t using applications developed by third parties on a daily basis. Accounts Payable teams make use of many third-party applications, from your ERP software to online banking portals.
While there’s a lot you can do to stay secure, there’s comparatively little you can do if the applications you rely on every day are riddled with vulnerabilities. And given that these applications contain so much of your confidential corporate data, security weaknesses in your digital supply-chain represent a very real threat to your organisation.
Digital Supply-Chain Attacks
Cyber security is now well and truly on the radar for most boards. Organisations are investing record amounts to defend their data, networks and application layers.
But as organisations work to uplift their cyber defences, cyber criminals are adapting. They have realised that the weakest link for many organisations is third-party software. The result: cyber criminals now routinely gain access to an organisation’s systems via their digital supply-chain.
The recent SolarWinds breach is a case in point.
American software giant, SolarWinds, developed a widely used network monitoring application called Orion. Given that Orion was designed to identify malicious traffic in organisations’ networks, it had extensive access deep into the networks where it was installed.
The criminal gang behind the SolarWinds attack used Orion as the vehicle to gain unauthorised access to unsuspecting organisations. Even with highly-sophisticated defences, when targeted organisations ran a regular monthly Orion software update, they inadvertently installed remote access trojan (RAT) malware, giving the criminals extensive access to their systems.
It is believed that up to 18,000 organisations may have unknowingly installed these backdoors, potentially paving the way for data manipulation and exfiltration.
It is understood that the criminals behind the SolarWinds breach gained extensive access to email accounts, financial records and confidential commercial files.
The seriousness of the breach led some to label it the Pearl Harbour of American IT.
Vendor Email Compromise
While it’s clear that vulnerable third-party applications can pave the way for criminals to gain entry to your organisation’s network, you also face an emerging third-party risk resulting from suppliers using insecure email systems.
Imagine that your suppliers’ Accounts Receivable team is using an insecure email system. This could allow a fraudster to engage in a Vendor Email Compromise (VEC) attack against you. If the fraudster gains unauthorised access to your supplier’s Accounts Receivable email client, they could manipulate the banking details in invoices, resulting in your Accounts Payable team remitting funds directly into a bank account controlled by the scammer.
So, you end up being defrauded even though it’s your supplier that has the vulnerable email system.
This is a classic case of a Negative Externality. Despite your supplier getting hacked, they don’t suffer the financial consequences – you do!
Negative Externalities act as a disincentive for organisations to take appropriate measures to strengthen their security settings. This is not to say that vulnerable suppliers are acting out of malice. They may simply be negligent in securing their email systems because they are unaware of the financial ramifications that can flow from such insecurities. After all, if they have never directly suffered the financial costs of a breach, they may simply be ignorant.
Researchers are warning that such attacks are a growing trend. Traditional Business Email Compromise (BEC) attacks, which seek to manipulate the email accounts of an organisation’s CEO or CFO, are increasingly difficult as more robust internal controls are implemented. However, the trust that exists between an organisation and its suppliers paves the way for successful VEC attacks instead.
From the fraudster’s point of view, one successful VEC attack can result in a much greater financial windfall. After all, if they are able to access the Accounts Receivable email system of a large company that supplies many other companies, one successful breach allows them to conduct VEC attacks against many potential victims.
How can eftsure help?
Whilst you can’t always control the actions of others, you can control your own actions.
Your suppliers may have weak controls and security settings. They may have vulnerable email clients that increase the risk of you facing a VEC attack. Unfortunately, there’s very little you can do to force your suppliers to enhance their security capabilities.
However, you can reduce your exposure by ensuring you always verify the accuracy of banking details immediately prior to paying any invoices.
With eftsure integrated into your accounting environment, you will be able to cross-match the banking details you are using to pay an invoice against our database comprising over 2 million Australian organisations. This gives you assurance that the banking details in your records match the banking details used by other organisations to pay the same supplier.
So, even if your supplier has been compromised, you can avoid bearing the financial burden!
Contact eftsure today for a demonstration of how we can help you secure your supplier payments.