Stopping Vendor Email Compromise in Action: Threat Actors Request Invoice for $36 Million

Vendor email compromise, the most dangerous type of business email compromise, is a uniquely dangerous cybersecurity threat that is continuing to grow in both frequency and severity. In fact, two-thirds of all organizations are targeted by email attacks that use a compromised or impersonated third-party account each quarter.

Unlike traditional business email compromise that impersonates an executive, a VEC attack occurs when a threat actor either gains control of a vendor email account or impersonates a trusted vendor in an attempt to execute an invoice scam or other financial fraud. These attacks are highly successful because they exploit the trust and existing relationships between vendors and customers through personalization and social engineering. And because your vendors often discuss invoices and payments, these attacks rarely seem abnormal—unlike the gift card requests from the CEO that were so popular when business email compromise originated.

VEC attacks often ask the recipient to pay an overdue or outstanding invoice or update billing account details so the next payment is sent to a fraudulent bank account. In the most egregious instances, they hijack an ongoing conversation and change details inline—right before the money is sent.

And because these attacks use known identities, they can be incredibly difficult to detect. Even the most cybersecurity-aware employees can find themselves fooled by these advanced threat tactics that lead to lost revenue. And we’re not talking about payments in the hundreds or thousands of dollars…

Abnormal recently detected an attempted VEC attack that sought to steal $36 million from the target. You read that right… $36 MILLION. Here’s what that looked like.

In this attack, an enterprise in the commercial real estate industry was cc’d on an email containing an invoice for $36 million. The email was sent from what appeared to be a trusted contact of the enterprise to an escrow officer at an insurance company. The sender’s domain name, however, ended in [.cam] instead of [.com] so the full domain name looked like trusteddomain.cam—almost impossible to notice for anyone but the most perceptive employee.

The email included information about a payoff letter and directed the reader to view the attached letter and payment instructions.

The attacker invoice, which was sent on forged company letterhead, outlines falsified loan information, including interest rates, repayment amounts, and other sensitive financial details.

The email also included a document with wiring details. In fact, the only piece of this email that was different from what the target would typically expect in an invoice was the wiring instructions, which directed the recipient to submit payment to a company called Forever Home Title in Tampa, Florida.

Extremely close inspection of the wiring instructions show minor discrepancies, like the “Reference: Name,” instead of “Reference Name” and the missing state in the disclaimer text. But again, only someone who was expecting an attack would likely look for these minor issues.

Despite this email looking legitimate to the end user, there were a number of anomalies. First, the two lookalike domains use [.cam] rather than [.com] and both were less than one week old. The first fraudulent domain was registered in Iceland on October 12, 2022—the day of the attack began. Newly-registered domains are often an indicator of suspicious activity, since they are typically created right after a threat actor identifies his target and starts his scheme.

Additionally, the email contained a high-value payment request (above $10,000) and included new billing instructions, as well as language about the transaction being diverted to a different bank account. Vendor fraud is commonly initiated this way—an attacker will say something along the lines of, “we have a new bank account and need you to send this invoice to this new account instead of what has previously been used.”

There were also irregular language patterns in the body of the email, which is traditionally associated with credential fraud and financial theft.

The totality of these signals is suspicious enough for an email security platform to take action by detecting and remediating the attack. However, since the Abnormal customer was actually cc’d on the email rather than the direct recipient, we are unable to determine if the original recipient was protected or if the invoice was in fact paid out.

As attackers shift from executive impersonation to vendor fraud and increase their payment requests, the need for security leaders to keep their organizations safe increases. A key piece of the security toolbelt should include technology that can detect novel, never-before-seen attacks that do not contain traditional indicators of compromise. Because modern supply chain attacks use seemingly genuine messages, traditional tools which look for indicators like malicious attachments are becoming less effective.

New tools that take a reverse approach—using behavioral AI to instead understand known-good behavior—can better identify and block new types of attacks, especially as cybercriminals continue to evolve their tactics. As a result, organizations stay better protected from these increasingly expensive attacks, and security leaders can focus on other priorities as they work to safeguard against evolving threats.

Interested in learning more about how Abnormal can protect your organization from vendor fraud? Schedule a demo.