名媛直播

Fraud has long been a concern of finance teams, but the COVID-19 pandemic has dramatically increased the risks. Closed offices and widespread teleworking have disrupted established accounts payable processes. Businesses have had to circumvent their own controls in order to get supplier payments out the door鈥攊n the process, increasing potential exposure to the virus when accounting personnel collect invoices delivered by mail and print and distribute checks for signatures.

Not surprisingly, cybercriminals or fraudsters are exploiting the overall confusion created by the pandemic鈥攁nd the lapses in company鈥檚 controls鈥攖o strike. The FBI and Interpol have reported a surge in both phishing and business email compromise (BEC) attacks. Of particular concern to AP teams is a variant of BEC called vendor email compromise.

An overview of business email compromise

Let鈥檚 take a step back and make sure we鈥檙e on the same page about what we mean by BEC. BEC is a form of social engineering. In this type of an attack, the fraudster impersonates someone you know: whether someone with authority, like an executive, or someone you trust, like an assistant. The fraudster wants to trick you into believing they are someone they are not. And if they manage to catch you short, what comes next is fraud: a fraudulent financial request, like updating account numbers, making wire transfers, purchasing gift cards, or paying fake invoices.

The someone you know is typically impersonated using one of the following techniques:

• Fake e-mail addresses: Creating a free Gmail or Yahoo email address that appears to belong to the individual, or simply by changing the display name (from field) of a random hacked account. The fraudster might add 鈥淚鈥檓 tied up in a meeting鈥� to the message along with 鈥淪ent from my iPhone鈥� to make the target believe the email was accidentally sent from a personal account.
• Copycat domain names: Registering a lookalike domain that appears deceptively similar to the company鈥檚 actual domain. This can be accomplished by adding random extensions (www.companyname-llc.com), or by replacing letters (o) with Cyrillic characters (芯). Yes, they鈥檙e actually different!
• Compromised e-mail account: Compromising an actual business email account by first sending a phishing email to harvest email credentials and then sending a BEC attack from the compromised account. In this case, the fraudulent request comes from a legitimate email account, which means most email filters are unlikely to block the threat.

Fraudsters use psychology to prey on our sincere emotions to get us to do things we should not. And it doesn鈥檛 matter what our position is, or our responsibilities are鈥攚e can all be tricked. Well-crafted and emotionally resonate attacks are disarmingly effective at hitting their mark. We are ALL vulnerable to these sophisticated email attacks for one simple reason鈥攚e鈥檙e human. For example, 鈥淪hark Tank鈥� judge Barbara Corcoran lost nearly $400,000 in a business email compromise scam. Corcoran鈥檚 book-keeper received an email from her assistant with instructions to wire a large sum of money to a vendor, and the book-keeper sent the wire. But it wasn鈥檛 Corcoran鈥檚 assistant that sent the email. It was a fraudster, and the money was lost.

What is vendor email compromise?

Vendor email compromise is a particularly insidious variant of BEC. In these attacks, the someone you know is a vendor or a supplier that you have a relationship with. Fraudsters use a compromised business email account from one of your vendors to build knowledge about potential targets鈥攍ike you.聽 A meticulously crafted, psychologically convincing, and well-timed e-mail may soon be on its way to your inbox.

Here is how a typical vendor email compromise attack unfolds:

• Compromise a Vendor鈥檚 Email Account 鈥� The fraudster will first compromise a business email account belonging to one of your vendors. The way they typically do this is by sending phishing attacks impersonating Microsoft Office 365, Google, or other cloud services. The goal is to harvest the email credentials of someone working in finance or Accounts Receivable.
• Gather Intelligence鈥攁nd Wait 鈥� Once an account has been compromised, the fraudster begins gathering intelligence that鈥檚 used to plan the next attack. This intelligence gathering is insidious. They鈥檒l set up forwarding rules to monitor the user鈥檚 emails. They might also target colleagues to better understand the vendor鈥檚 processes, such as your AP inbox, billing terms, or invoice status. When they are ready, they will wait for the opportune moment to strike.
• Execute the VEC Attack 鈥� The fraudster will execute their attack with alarming precision, emailing someone on your AP team using the compromised account to submit a fake invoice or to update the vendor鈥檚 bank account number. In many cases, victims don鈥檛 realize they鈥檝e been defrauded until the legitimate vendors call to check on payment status.
  
  

The financial and reputational impact of vendor email compromise

According to the , US businesses lost $1.7 billion from business email compromise attacks in 2019. Moreover, researchers estimate that the typical BEC scam nets a fraudster $55,000 in profit.

The stakes for vendor email compromise are much higher, netting a whopping $125,000 on average. Beyond the direct cost of fraudulent payments, cybercrime incidents like vendor email compromise result in additional costs through investigation and incident response measures, implementation of stronger security controls and additional technology, and more.

Both parties involved may also suffer reputational damage. Concerned with being targeted themselves, customers may be weary of continuing to do business with that vendor. The reputation of the company who paid the fraudulent invoice could also take a hit.聽 Their customers may question the company鈥檚 security controls and how adequately their payment information is being protected.

Companies of all sizes are targets of vendor email compromise

Because BEC and vendor email compromise victims that make headlines tend to be large organizations, mid-market CFOs and finance teams may think they are flying under the radar. Just the opposite is true. Fraudsters are increasingly targeting SMBs and mid-market businesses because they typically have fewer resources and controls to identify and respond to such attacks.

So, what鈥檚 the best way to prevent vendor email compromise? For starters, train employees, especially those working in accounts payable. Learn how to detect BEC and vendor email compromise attacks. On top of that, clearly define processes for handling payments and financial transactions: protect access to sensitive accounts with two-factor authentication, use tiered approvals, segregation of duties, and confirmation procedures when sensitive vendor information changes. An AP automation solution like 名媛直播 can help enforce these controls.

Through vendor email compromise, businesses of all sizes face greater risk from their suppliers, as unsuspecting employees may be duped into completing fraudulent invoice payments. The good news is that people, process, and technology can work together to create checks and balances, and stronger overall security controls that aid in prevention.