What Is Vendor Email Compromise (VEC) & How Can You Protect Against It?
With so many different cyberthreats these days (and new ones emerging every year), it’s hard for organisations and individuals alike to stay on top of what to look out for, and how to protect themselves.
For those who are new to the concept, Vendor Email Compromise (VEC) is an increasingly common type of attack used by malicious actors to gain access to an organisation’s emails or networks. If you’ve heard of Business Email Compromise (BEC) before, you could consider VEC to be its younger sibling.
How Vendor Email Compromise (VEC) Works
In a VEC attack, the attacker steals credentials of an organisation’s supplier and sends email messages from their account. These messages typically appear to be legitimate and can include requests for payment, confidential information, or attachments designed to compromise the target's system.
Needless to say, this is a terrifying prospect for any organisation. VEC attacks can cause unprecedented damage to business partners, customers and stakeholders; with the average cost reaching a staggering $183,000.
The goal of a VEC attack is often to gain access to sensitive data or financial resources held in the victim’s network. To do this, the attacker may use sophisticated methods such as phishing or malware delivery to steal credentials or install unauthorised software on the victim's network.
VEC attacks are incredibly hard to detect as they pass through traditional security measures, due to their ability to masquerade as legitimate interactions between suppliers and employees. This is because the emails appear to come from a trusted entity outside of your organisation and have the same tone and format as normal messages sent by suppliers.
As human experts are unable to review each message manually in order to identify whether or not it is malicious, organisations and individuals need to rely on advanced technology in order to protect themselves against such threats. Without this technology, it is almost impossible for them to be able to discern which emails are genuine, and which ones could potentially put their systems at risk.
Organisations should take steps to protect themselves from Vendor Email Compromise tactics
These steps include:
- Monitoring vendor accounts for any suspicious activity and implementing multi-factor authentication wherever possible
- Ensuring that vendors are using secure methods of communication and have up-to-date security software installed on all devices connected to their networks
- Keeping regular backups of all system data in case a successful attack occurs
- Layer your secure email gateway and antivirus solutions with threat intelligence and behavioural analysis to pick up anomalies between you and your suppliers
That’s what can be done on your end to minimise your organisation’s risk of falling victim to a Vendor Email Compromise attack. However, to fully bolster your defences against these kinds of cyberthreats, AI & Machine Learning is currently the most effective solution.
How to Protect Against Vector Email Compromise (VEC) Using AI & Machine Learning
AI and Machine Learning technologies offer sophisticated behavioural analytics that can be used to identify individual actors, establish complex relationships between them, and provide detailed insights into the content of conversations.
This helps detect malicious financial transactions, attempts to obtain sensitive information through phishing attacks, or any suspicious requests for large sums of money. By monitoring interactions between vendors and customers in real-time, these systems enable organisations to quickly detect supply chain fraud and stop cybercriminals before they can do any harm.
In addition, our comprehensive InfoTrust Security Awareness Services are highly effective in creating a culture of security throughout your organisation. From awareness training and incident response to penetration testing and more; InfoTrust serves as an end-to-end cybersecurity solution.
Speak to our cybersecurity experts today
InfoTrust can provide peace of mind that your organisation’s data is protected against VEC attacks and other malicious cybersecurity threats. For more information, get in touch.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help