Finance is likely all too familiar with business email compromise. But now, a variation of those scams – referred to as vendor email compromise (VEC) – is growing and putting your company money at risk.
So says Crane Hassold, the head of threat research at Agari Cyber Intelligence Division. According to Hassold, VEC scams occur when a vendor’s account is infiltrated and used to send messages to your finance department, typically asking for payment on a pre-existing invoice.
The finer points
Why do finance staffers tend to fall for VEC scams?
Simply put, they hide in plain sight and are quite hard to detect. They target vendors your staff is used to conversing and working with. And since the scammer compromises a vendor’s real account, they can “lie in wait,” observing as exchanges flow back and forth. As a result, they know how to appear legitimate when they finally go in for the attack.
Going forward, thwarting VEC scams will require your staffers to continually analyze authentic-looking emails and look for discrepancies. And it helps if they know exactly how these scams are carried out.
Here’s a three-part rundown you can share with your finance staff:
- The invasion: First, criminals infiltrate an actual vendor email account by mimicking apps like OneDrive or DocuSign.
- The manipulation: In the vendor’s email account, the attackers redirect copies of incoming emails to a fake account they’ve created. Then they can go through the emails with real invoices to duplicate later.
- The follow-through: The criminals send an email to your finance staff for an invoice payment that’s due.
A VEC key to remember
Once your staff understands these scams, how can they work to avoid them?
Here’s one foolproof way they can catch scammers in the act: Check whether the bank account where the vendor’s payment is usually sent has changed.
If it has, that’s a potential sign of a VEC scam. Encourage your staff to halt the process there and consult their manager, so company funds don’t get into the wrong hands.