01 Feb Mutations: BEC becomes VEC
Vendor Fraud Risk
Scientists have detected mutations of the Coronavirus in the U.K., South Africa, Nigeria and Brazil. These mutations can change how rapidly the disease spreads. So far, it does not appear to increase its virulence. For the finance personnel, there’s a parallel in the arena of financial fraud. In the realm of business email compromise, or BEC, a new variant has emerged from a criminal group in West Africa: vendor email compromise (VEC). In this case, the potential virulence is greater.
The VEC variant of BEC is insidious. It is sophisticated, its perpetrators are patient, and the payoff is worth it. How does it work?
As with BEC, email vulnerability provides the initial entry point. But this time, it starts with the email of one of your vendors. And VEC is different from the urgent requests for action common in “spoofing” attacks. Once perpetrators get access to your vendor’s email, they patiently and quietly begin gathering information. They take time to learn about the vendor and the vendor’s customers.
Unnoticed, they quietly study the vendor’s communication about invoices with you, learning invoice amounts and timing. How does the vendor usually follow up with you? What language does the vendor use in an email inquiry? The perpetrators know what your vendor’s emails and email-signature look like. They learn how and when the vendor asks for payment.
Eventually, they contact you in an email that looks exactly like your vendor’s. They request a change to the payment account. Then they request payment of invoices. They mimic the tone and the timing of the vendor. And if you are not alert, you send payment to the perpetrator’s account. By the time the real vendor contacts you about a late payment, the perpetrators have closed the fake account, and the money is gone.
What to do
Ensure your team is current with all cybersecurity basics, especially as applied to remote working. And enforce discipline for proper password creation, differentiation and management! Then educate and train staff specifically in cybersecurity threats, including all forms of phishing and spoofing. Include exercises and testing (have IT send out phishing emails). Train staff to examine vendor communications closely as a matter of course. Check the incoming email address and never hit “Reply” if it looks suspicious. Forward the email to a known work email address or call the vendor.
Update and repeat fraud-awareness training a few times a year.
Follow control procedures for processing vendor information change requests. These include calling the vendor directly to verify information change requests using the contact information you already have on file. If you cannot reach the vendor by phone, send a letter to the address on file to request a call. Follow multi-level verification of change requests. Do not use email to transmit sensitive information either directly in the email or via an attached document. Email is not secure.
Consider implementing a secure vendor portal for the transmission of sensitive vendor documents and communications.
To learn how InvoiceInfo and VendorInfo can help, contact us.