How to Identify a New Type of BEC: Vendor Email Compromise

CalendarDecember 8, 2021

Since businesses began moving to a remote environment at the start of 2020, accounts payable teams have spent a significant amount of time ramping-up their ACH payments. Working from home has made it harder to get payments out to suppliers efficiently and securely.

The increased pressure on AP, combined with weak network security and unfamiliar remote workflows, left an opening for fraudsters to take advantage of the chaos. In the September 2020 edition of the Fraud in the Wake of COVID-19 Benchmarking Report, the ACFE (Association of Credentialed Fraud Examiners) reported that 90 percent of over 2000 respondents had seen increased cyber fraud during the July-August 2020 time period.

A particular subset of fraudulent activity—‘BEC’, or Business Email Compromise—has gained notoriety over the years and is such a large operation that it’s become more of an umbrella term for various attacks. Among these subsets comes the newer term, ‘VEC’, or Vendor Email Compromise.

Defining Vendor Email Compromise

While similar in concept to BEC, VEC focuses more on controlling payments through vendor communication. Bad actors hack into vendor emails or business systems and watch the transaction flow for a while. They collect information on the vendor—anything from invoice structures to personal writing quirks. This later enables them to take over communication without raising suspicion.

Once they’ve identified an opportunity to re-route large ACH payments, they masquerade as the vendor in a spoofed email to the AP team, requesting changes to the account. Depending on the information they’ve collected, these emails can be quite convincing and ultimately, damaging.

In a successful fraud scenario, the bad actor will have convinced AP to re-route funds to their account. Once they retrieve the funds, the bad actors will close the account. Due to the quick nature of ACH payments, the entire heist can take very little time to pull off—often, mere days. By the time the legitimate vendor asks about their missing payment, it’s impossible to retrieve the funds and the buyer is still on the hook for the actual payment.

Building Your Fortress Through AP Internal Controls

Many AP departments are not prepared to identify sophisticated, calculating cyberattacks like VEC. For decades, they have grown familiar with identifying check fraud. In those cases, enterprises have developed strong internal controls and combined them with their bank’s Positive Pay and Positive Payee capabilities. Now they need to develop the same level of controls for ACH. A comprehensive system would look something like this:

  1. Use tools like firewalls, threat monitoring, and multifactor authentication to block attacks on your infrastructure.

  2. Put prevention measures in place. Train all new hires to identify malware and phishing attempts, and offer quarterly refreshers to all employees. Have IT periodically send out simulated phishing attacks, so your teams know how to recognize and react to the real thing.

  3. Don’t gloss over your validation process. Require multiple levels of verification on all information changes—even (and especially) urgent ones. Use industry-standard tools to validate account information and ownership. Call vendors to validate their update requests using the contact information you already have on file—not the information in the email. If you can’t reach a vendor by phone, mail a letter to the address on file and request they call you.

  4. Document your processes and protocols and update them frequently.

  5. Never, ever share sensitive data via email.

Staying Vigilant Against BEC Fraud

It’s not surprising if these steps sound like a lot; they are. As bad actors grow more proficient in their fraud attempts, it’s up to business owners to prepare for when they inevitably become a target. This requires a certain amount of imagination—taking the time to think of how a bad actor might infiltrate your business allows you to shore up your weak points before they become a problem. A single successful attempt has the potential to impact not only the bottom line but also your business reputation.

In the end, the best method for protecting your business is staying vigilant and flexible to changes in fraudulent activity, such as the addition of VEC to the BEC fraud category. Expect the unexpected, and it will be much harder to throw you off guard.