[ CyberSecurity Awareness Series] The VEC Scam


Bob heaved a sigh of relief after he saw the mail. The payment had been processed and he had immediately received the payment confirmation from the vendor. It was the end of the month and he wanted no non-compliance on the part of his company towards payments of dues. In fact, Bob had looped in the finance department in the emails to ensure payment was processed immediately by the department post validation of invoice.

The next day, he receives a call from one of his vendors, IAMVendor, to settle down the dues for this month. Bob tells them that the payment had already been made and in fact, IAMVendor had also sent them the payment confirmation message. In order to avoid any confusion, Bob decides to send them the payment confirmation as well as the invoice sent by them. The next day, Bob receives emails from other vendors too, asking for details as to when the payments will be processed. Bob calls up his finance department and asks them to check with their bank as to why has the payment not been processed. Bob asks the finance department to coordinate with all the vendors to identify what went wrong.

Can you guess what would have gone wrong? If yes, how do you think this would have been pulled off?

Bob’s company and his vendors suffered a loss of around 100,000$ in this fraud which took place. The invoices seemed original and in fact, had been sent by the vendor's email servers, but the bank details were changed. How could have this scam been pulled off? Well, read on to find out.

Well, hackers sent a phishing email to the vendors of Bob’s company. Once all of these vendors as well Bob had clicked on such malicious links, it was easy for them to enter into their mailing servers. When you do your homework, you get rewarded and that’s exactly how these hackers pulled this off. They studied the mail communication between the parties over months and helped understand who in the organization wrote in what manner.

Over time, they waited for the right opportunity to strike. One of the vendors had dropped an email that there would be a change in the banking details. The hacker group replicated this email and sent it as FYI message on behalf of all the vendors to Bob’s company. Since they knew how to write such a message with respect to each vendor, this change went undetected. When the invoices were sent for the current month, they had just one minor change. The bank accounts were different. The payment was made and the payment was withdrawn, but, by a different party this time. This is known as Vendor Email Compromise (VEC) scam which has affected some of the companies globally.

Hackers today are patient in their approach. They don’t attack immediately just for a few dollars. They wait patiently for the right moment to cash out. Phishing is one of the most effective attacks today. What makes it even more effective is the element of error which is always high as humans come into the picture.  As more and more people hop on to the digital bandwagon, it becomes imperative for us to make them aware of cyber hygiene practices.

I would be publishing a blogpost on phishing email examples. Do check it out.

This awareness story is based on a real scam which has happened. You can read about it here.

This being the 100th post makes it a lot special. Thank you to all the readers across the globe. Your blessings have made this journey possible. Happy learning and #becyberaware and #becybersmart always.

Comments

You may also like to read...

How to Pass the CISSP Exam in First Attempt

The CISSP CAT Exam Experience

How to Pass SSCP Exam in the First Attempt