Vendor Impersonation Used to Siphon Invoice Payments

Aging reports can be some of the most useful documents for cyberattackers because they provide access to huge amounts of data about customers and outstanding payments. By understanding this information, they can then target those known customers to update banking details and ask for overdue payments. 

This is likely what happened in the setup of this attack, where a known vendor targeted a customer, stating that their bank had changed from Bank of America to Chase and the old account would be closed in 10 days. They then asked the victim to confirm that they had updated their banking account details. Interestingly, this attack did not specifically request that invoices be paid immediately or inquire about incoming payments. To add further legitimacy to the attack, the threat actors used a lookalike domain with only a character difference from the legitimate email address.

This attack is solely text-based, with no traditional indicators of compromise, and the domain has authentication protocols enabled. Without an understanding of the content and tone of the message, there is no way for an email security solution to understand that this email has malicious intent. 

Natural language processing enables cloud email security solutions to detect the presence of an account update request, and a federated supply chain database understands when a vendor account may be compromised—across the entire customer ecosystem. Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. 

While this attack does not result in immediate financial loss, it does set up the opportunity for attackers to receive the new payment to this vendor. Depending on how much the customer typically pays this vendor and how long it takes to find the error, this account update could cost the organization thousands to hundreds of thousands of dollars.