Phishing, BEC and the Supply Chain: Why Your BEC Attack Surface is Bigger Than You Think

5 min readFeb 17, 2020

Editor’s Note: This blog post was originally found on the Agari Email Security blog

By Michael Cichon

Thanks to the rapid rise of email account takeovers, organizations worldwide are being forced to accept a painful new reality in the battle against phishing and business email compromise (BEC) scams. It’s no longer enough to focus on your own attack surface. You need to protect against compromised accounts throughout the supply chain.

Commonly referred to as vendor email compromise (VEC), this form of email attack involves cybercriminals leveraging stolen login credentials to infiltrate email accounts often belonging to finance or accounts receivable workers at a supplier.

As documented in our threat report on the email fraud group Silent Starling, cybercriminals are able to use these compromised email accounts to surveil communications and then send fraudulent email messages requesting payment for actual goods and services purchased.

While classic BEC scams cost businesses an average of $50,000 per incident, losses from supply chain takeover-based attacks average $125,000, according to FinCEN. And over the last 18 months, a growing number of companies have fallen victim.

Social Engineering Meets the Supply Chain

As NPR reports, VEC may have played a role in the $37 million a Toyota subsidiary lost to email fraud this past summer. According to the US Securities and Exchange Commission, at least nine large, publicly-traded companies were recently swindled out of $100 million in BEC scams. In at least two instances, attacks are known to have involved supply chain account takeover.

A need for stronger accounting controls aside, it’s easy to see how organizations can be fleeced through these attacks. When a supplier’s email accounts are compromised, fraudsters are able to monitor email communications and gather valuable intel. Their malicious emails emulate the look and feel of actual correspondence from the compromised supplier, including key details from recent email conversations.

By creating a false sense of legitimacy, requests for payment on an invoice or changes to payment details go unquestioned, and why wouldn’t they — the requests are well-timed and woven into the mesh of day-to-day operations with relevant details and information only a supplier would typically know. Yet as bad as the mounting financial losses may be, things can get even worse.

Supplier Account Takeover: Not for Money Only

While it’s true that most VEC campaigns are focused on bilking millions from targets, these aren’t the only assets cyber thieves can pursue from pirated accounts.

Exfiltration of competitive intelligence and strategies, intellectual property, sensitive employee information, and valuable customer data is a very real threat. Since email is typically used for password recovery, fraudsters can gain access to any number of connected systems and services.

In addition to direct financial losses, the average costs associated with data breaches now top $8.2 million per incident for US-based companies, according to Ponemon Institute. And that’s before any regulatory fines or lawsuits. Whatever the attack mix, your company’s competitive positioning and brand reputation could be toast.

Cybercriminals may also use your systems as a distribution platform for spyware, ransomware, Remote Access Trojans (RATs) and more. In fact, this may be where social engineering-based email attacks may prove more dangerous than previously realized.

Protecting The Business Email Ecosystem

Of course, email security awareness training can help, but with a best-case 2% failure rate, relying on a human firewall to defend against these attacks may prove problematic. Especially since the average business has 4,700 third-party partners with some access to its corporate data.

When multiplied across businesses throughout the supply chain, this issue grows exponentially more dangerous. Just as organizations can derive competitive advantage from business partners as materials, services and information flow across an optimized supply chain, so too can they inherit business risk and security vulnerabilities.

To address the concerns of risk exposure, organizations have looked to security audits and surveys, but there’s growing concern about the legitimacy of answers suppliers are providing as they have a strong profit motive to minimize concerns.

An alternative would be for organizations to mandate industry-standard technologies that can help supply chain partners protect themselves and one another in ways that have built-in accountability. Let’s look at just two possible examples.

DMARC Deployment Across the Supply Chain

Domain-based Messaging, Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that can help partners ensure that the email correspondence flowing between them is protected from outside impersonation.

Mandating supply chain-wide DMARC implementation could provide two important benefits. First, this would eliminate a significant attack vector for VEC scams from pirated domains. But, in addition, it could establish specific measures of accountability through enforcement of provisions that stipulate financial liability related to gross negligence on the part of a partner failing to properly implement DMARC across their email sending domains.

Identity-based Defenses to Fight ATOs

But, for all its strength in email authentication, DMARC alone is only part of a layered email defense. It protects against bogus email being sent from the corporate domain, but phishing and BEC attacks coming into or across the organization deserve special attention.

In the case of email account takeover, the email message comes from a legitimate email account. Since legacy controls inspect incoming email messages, but typically not employee-to-employee email, ATO-based attacks can and do tend to spread laterally. These attacks from supply chain partners amplify the problem.

Because email is typically a primary communication vehicle between supply chain partners, attacks coming from compromised email accounts at business partners extend the threat of lateral attacks from within an enterprise to across the extended enterprise.

In an age when the competitive strength of any business derives in part from its supply chain, it’s accepted that focusing internally on people, process, and technology is simply not good enough. Security awareness training and vendor surveys take a step in the right direction. But many organizations may find that enhancing email security across the supply chain is not just important, but a top business imperative that can improve business productivity and avoid costly disruptions to the business plan.

To learn more about mitigating the threat posed by supply chain account takeover-based email attacks, read our exclusive threat dossier on the VEC cybercrime group we call Silent Starling.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.