Vendor email compromise
Vendor email compromise
Vendor email compromise definition
Vendor email compromise (VEC) is a cyber scam where attackers target the email accounts of vendors and use them to send fake invoices to their customers.
See also: business email compromise, conversation hijacking, social engineering
How vendor email compromise works
- Cybercriminals first breach a vendor’s email system. They may use phishing or spear phishing, credential stuffing, keyloggers, and other techniques for that.
- Once inside, they track emails to understand billing cycles, vendors, and typical invoice amounts.
- Using the breached account or a similar email address, they send fake invoices to the vendor’s clients with updated bank details.
- Unsuspecting clients pay the invoices, sending funds to the cybercriminals’ accounts.
Vendor email compromise example
A city government receives what seems like a regular invoice from its construction vendor. The only difference is the bank account details, which have been subtly changed. Trusting the vendor, the city transfers a significant amount of money. It takes the actual vendor following up about the unpaid invoice for the officials to realize they’ve been victims of a VEC scam.
Dangers of vendor email compromise
- Financial loss. Companies can lose significant amounts of money.
- Loss of trust. Both the vendor and client can suffer reputational damage, eroding trust.
- Data breach. Cybercriminals might gain access to sensitive company information during their email surveillance.
- Further compromise. The breach may not be limited to email — the attackers can potentially gain deeper access to a company’s network.