Vendor Email Compromise (VEC): What AP and Finance Teams Should Know

Fraud has long been a concern of finance teams, but the COVID-19 pandemic has dramatically increased the risks. Closed offices and widespread teleworking have disrupted established accounts payable processes. Businesses have had to circumvent their own controls in order to get supplier payments out the door—in the process, increasing potential exposure to the virus when accounting personnel collect invoices delivered by mail and print and distribute checks for signatures.

Not surprisingly, cybercriminals or fraudsters are exploiting the overall confusion created by the pandemic—and the lapses in company’s controls—to strike. The FBI and Interpol have reported a surge in both phishing and business email compromise (BEC) attacks. Of particular concern to AP teams is a variant of BEC called vendor email compromise.

An overview of business email compromise

Let’s take a step back and make sure we’re on the same page about what we mean by BEC. BEC is a form of social engineering. In this type of an attack, the fraudster impersonates someone you know: whether someone with authority, like an executive, or someone you trust, like an assistant. The fraudster wants to trick you into believing they are someone they are not. And if they manage to catch you short, what comes next is fraud: a fraudulent financial request, like updating account numbers, making wire transfers, purchasing gift cards, or paying fake invoices.

The someone you know is typically impersonated using one of the following techniques:

  • Fake e-mail addresses: Creating a free Gmail or Yahoo email address that appears to belong to the individual, or simply by changing the display name (from field) of a random hacked account. The fraudster might add “I’m tied up in a meeting” to the message along with “Sent from my iPhone” to make the target believe the email was accidentally sent from a personal account.
  • Copycat domain names: Registering a lookalike domain that appears deceptively similar to the company’s actual domain. This can be accomplished by adding random extensions (, or by replacing letters (o) with Cyrillic characters (о). Yes, they’re actually different!
  • Compromised e-mail account: Compromising an actual business email account by first sending a phishing email to harvest email credentials and then sending a BEC attack from the compromised account. In this case, the fraudulent request comes from a legitimate email account, which means most email filters are unlikely to block the threat.

Fraudsters use psychology to prey on our sincere emotions to get us to do things we should not. And it doesn’t matter what our position is, or our responsibilities are—we can all be tricked. Well-crafted and emotionally resonate attacks are disarmingly effective at hitting their mark. We are ALL vulnerable to these sophisticated email attacks for one simple reason—we’re human. For example, “Shark Tank” judge Barbara Corcoran lost nearly $400,000 in a business email compromise scam. Corcoran’s book-keeper received an email from her assistant with instructions to wire a large sum of money to a vendor, and the book-keeper sent the wire. But it wasn’t Corcoran’s assistant that sent the email. It was a fraudster, and the money was lost.

What is vendor email compromise?

Vendor email compromise is a particularly insidious variant of BEC. In these attacks, the someone you know is a vendor or a supplier that you have a relationship with. Fraudsters use a compromised business email account from one of your vendors to build knowledge about potential targets—like you.  A meticulously crafted, psychologically convincing, and well-timed e-mail may soon be on its way to your inbox.

Here is how a typical vendor email compromise attack unfolds:

  • Compromise a Vendor’s Email Account – The fraudster will first compromise a business email account belonging to one of your vendors. The way they typically do this is by sending phishing attacks impersonating Microsoft Office 365, Google, or other cloud services. The goal is to harvest the email credentials of someone working in finance or Accounts Receivable.
  • Gather Intelligence—and Wait – Once an account has been compromised, the fraudster begins gathering intelligence that’s used to plan the next attack. This intelligence gathering is insidious. They’ll set up forwarding rules to monitor the user’s emails. They might also target colleagues to better understand the vendor’s processes, such as your AP inbox, billing terms, or invoice status. When they are ready, they will wait for the opportune moment to strike.
  • Execute the VEC Attack – The fraudster will execute their attack with alarming precision, emailing someone on your AP team using the compromised account to submit a fake invoice or to update the vendor’s bank account number. In many cases, victims don’t realize they’ve been defrauded until the legitimate vendors call to check on payment status.

The financial and reputational impact of vendor email compromise

According to the FBI’s 2019 Internet Crime Report, US businesses lost $1.7 billion from business email compromise attacks in 2019. Moreover, researchers estimate that the typical BEC scam nets a fraudster $55,000 in profit.

The stakes for vendor email compromise are much higher, netting a whopping $125,000 on average. Beyond the direct cost of fraudulent payments, cybercrime incidents like vendor email compromise result in additional costs through investigation and incident response measures, implementation of stronger security controls and additional technology, and more.

Both parties involved may also suffer reputational damage. Concerned with being targeted themselves, customers may be weary of continuing to do business with that vendor. The reputation of the company who paid the fraudulent invoice could also take a hit.  Their customers may question the company’s security controls and how adequately their payment information is being protected.

Companies of all sizes are targets of vendor email compromise

Because BEC and vendor email compromise victims that make headlines tend to be large organizations, mid-market CFOs and finance teams may think they are flying under the radar. Just the opposite is true. Fraudsters are increasingly targeting SMBs and mid-market businesses because they typically have fewer resources and controls to identify and respond to such attacks.

So, what’s the best way to prevent vendor email compromise? For starters, train employees, especially those working in accounts payable. Learn how to detect BEC and vendor email compromise attacks. On top of that, clearly define processes for handling payments and financial transactions: protect access to sensitive accounts with two-factor authentication, use tiered approvals, segregation of duties, and confirmation procedures when sensitive vendor information changes. An AP automation solution like MineralTree can help enforce these controls.

Through vendor email compromise, businesses of all sizes face greater risk from their suppliers, as unsuspecting employees may be duped into completing fraudulent invoice payments. The good news is that people, process, and technology can work together to create checks and balances, and stronger overall security controls that aid in prevention.

Mitigate Fraud Risk Whitepaper CTA

Kevin Eberman, Senior Director of Information Security, MineralTree

Kevin Eberman has proven ability and an enduring enthusiasm for Information Security. A Certified Information Systems Security Professional (CISSP), Kevin has more than 20 years of experience managing Information Security, Operations, and IT groups at startups and large technology companies. He has extensive technical knowledge of security, software development, cloud operations, networking, and high-availability solutions. As MineralTree’s Senior Director of Information Security, Kevin has shepherded the entire organization through a number of security certifications, including SOC 1, SOC 2, and PCI-DSS Level 1 Service Provider. As technology continues to evolve in new and exciting ways, Kevin and his team will continue playing a pivotal part in keeping MineralTree and its customers’ data secure. Follow Kevin on Twitter @Manager_of_it.