State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Vendor Email Compromise Phishing Emails

NJCCIC Alert

Original Release Date: 8/4/2023

Image Source: Abnormal Security

Summary

Vendor email compromise (VEC) is a targeted and in-depth type of business email compromise (BEC) in which cybercriminals impersonate a third-party vendor in order to steal funds from that vendor's customers. Recently, Abnormal Security analysts detected a campaign in which a threat actor compromised various vendor email accounts belonging to individuals in accounting and operations roles and subsequently sent emails attempting to redirect outstanding and future invoices to a new bank account. These emails used similar messaging and contained a PDF attachment that outlined the fraudulent new payment policy, provided the updated bank account details, and in some instances, included fake invoices.

The NJCCIC continues to receive similar reports of impersonation scams in which threat actors pretend to be trusted vendors. The emails were sent from compromised vendor accounts; therefore, the sender's email address and domain appeared normal to the recipients and bypassed scrutiny. Analysts determined that the targeted customer organizations were primarily critical infrastructure organizations, including those in the healthcare, logistics, and manufacturing industries.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. It is highly advised that users refrain from responding to unsolicited communications, clicking links, and opening attachments from unknown senders, and exercise caution with communications from known senders. If you are unsure of the legitimacy, contact the sender via a separate means of communication – such as by telephone– before taking any action. If correspondence contain changes to payment options or are otherwise suspicious, contact the vendor directly before providing sensitive information or funds. These types of scams should be reported to the associated vendor immediately, and the  FTC, FBI’s IC3, and the NJCCIC to limit proliferation. Additional recommendations can be found in the NJCCIC informational report, Don't Be Fooled: Ways to Prevent BEC Victimization.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.