COMMENTARY: Most people think of cyberattacks as complex, technical breaches: Malware. Ransomware. Exploits.But often, the most successful attacks are simple—they’re the text-based emails that get read, replied to, and acted on. And increasingly, they’re not coming from someone pretending to be a CEO, like the gift card scams of the past. They’re coming from another trusted entity: the supply chain.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Threat intelligence from our team confirms what I’ve seen in the field: vendor email compromises (VECs) have become the attack vector no one wants to talk about, but everyone needs to understand.In analyzing data across more than 1,400 organizations, we found that employees in large enterprises engage with malicious vendor messages 72% of the time. Not clicked. Not reported. But actually engaged, which could mean following through on paying a (fake) invoice, changing bank account details, or sharing sensitive information.If companies are not actively securing their vendor communications, they are missing one of the most exploited and least protected attack vectors in the enterprise. And in this case, trust without verification can cost a business millions.Mick Leach, Field CISO, Abnormal AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Bad actors prey on trusted relationships
Security practitioners have generally done a decent job training employees to stay skeptical of odd internal requests. We run phishing simulations with spoofed executive names or IT notices, but very few organizations train people to question their vendors.Why would they? Most teams are encouraged to build trusted, long-standing relationships with third-party partners to maximize value, so when an invoice comes in from a vendor a company’s worked with for years, they’re not thinking “attack”—they’re thinking: “I need to get this paid.”Attackers know this and they are exploiting it. In fact, during the observation period covered in our report, there were over $300 million in attempted vendor fraud. And that number only includes what our team observed. The true figure is undoubtedly much higher.The takeaway here: encourage employees to slow down, think twice, confirm requests through alternative communication channels, and always report suspicious messages.Most attacks aren’t reported because they don’t look like attacksOur research found that nearly all (98.5%) of advanced text-based VEC attacks go unreported by employees. This isn’t exactly a surprise when considering that these attacks don’t trigger the same warning signs as other phishing attempts. There are no suspicious links, no misspelled domains, and no attachments riddled with malware. They’re clean, well-written emails that look like a real invoice or a real project update.It’s the same reason why most secure email gateways often won’t catch them either—they omit known indicators of compromise, duping both the human- and technology-based defenses.Two pillars for defending against VECs
VEC attacks succeed because they manipulate trust and technology. Legacy defenses designed to catch malware or malicious links simply aren’t enough. To protect the organization, the team needs to evolve its strategy by layering these two pillars:- Educate employees: Humans are the most vulnerable element of an organization’s cybersecurity strategy, and that’s why they have a major role in stopping VEC attacks. While it’s human nature to trust known vendors, ongoing security awareness training can help employees recognize red flags. Even if emails are perfectly written, train employees to use skepticism around emails requesting financial or sensitive information, especially with a sense of urgency, and to always verify suspicious emails through legitimate channels.
- Look beyond known attributes to understand behavior: The onus does not fall on humans alone. Security awareness has gotten more difficult to train because threats are becoming so sophisticated, especially as attackers increasingly hijack real vendor accounts or create near-perfect lookalikes. Look for behavioral analysis tools that baseline normal vendor behavior and detect subtle anomalies—like requests coming outside normal business hours or asking for unusual financial changes. Even the most vigilant employees are often deceived by a well-crafted, contextually relevant email. That’s why we must pair awareness with technology that offers real-time visibility into vendor behavior and automatically flags inconsistencies.
