Vendor impersonation overtakes CEO fraud in email attacks – Abnormal Security reports

Abnormal Security, the cloud-native email security platform, have announced the release of new research that showcases a rising trend in financial supply chain compromise as threat actors impersonate vendors more than ever before.

In January 2022, the number of business email compromise (BEC) attacks impersonating external third parties surpassed those impersonating internal employees for the first time and has continued to exceed traditional internal impersonations in each month since. In May 2022, external, third-party impersonation made up 52% of all BEC attacks seen by Abnormal, while internal impersonation fell to 48% of all attacks. Just one year prior, internal impersonation accounted for 60% of all attacks—marking a 30% year over year increase in third-party impersonation.

Financial supply chain compromise is a subset of business email compromise in which cybercriminals take advantage of known or unknown third-party relationships to launch sophisticated attacks. The goal is to use the legitimacy of the vendor name to trick an unsuspecting employee into paying a fraudulent invoice, changing billing account details, or providing insight into other customers to target. These tactics are increasingly dangerous, with one attack stopped by Abnormal requesting $2.1 million for a fake invoice.

Throughout the report, Abnormal dives into four known types of financial supply chain compromise—vendor email compromise, ageing report theft, third-party reconnaissance, and blind third-party impersonation—each with varying degrees of sophistication. Whereas a vendor email compromise attack requires the threat actor to understand business relationships and financial transaction schedules, a blind third-party attack simply leverages traditional social engineering tactics to request payments using pretexts like impending legal actions. While all four types of attacks have seen success, those that use legitimate compromised accounts are extremely difficult to detect and can be disastrous to the companies they target.

“While financial supply chain compromise is not new, the increase in using third-party impersonation tactics is worrisome,” states Crane Hassold, director of threat intelligence at Abnormal Security. “Our threat intelligence team has discovered increasingly sophisticated attacks that are nearly impossible for legacy systems or end users to detect, particularly because they come from real vendor accounts, hijack ongoing conversations, and reference legitimate transactions.”

According to the FBI, business email compromise has exposed organisations to $43 billion in losses over the past six years, and real losses continue to grow year over year, making up 35% of all losses to cybercrime in 2021 alone. This new trend is just one example of the increasing sophistication of these modern email threats, and how cybercriminals continue to evolve and optimise their strategies for success. As employees become more aware of traditional BEC attacks that rely on executive impersonation, threat actors have successfully started to impersonate other entities—often with larger degrees of success.

Said Hassold, “This shift to financial supply chain attacks is another important milestone in the evolution of threat actors from low-value, low-impact threats like spam to targeted high-value, high-impact attacks. And because they are successful, we expect that this external impersonation will continue to rise as a percentage of all attacks, ultimately dominating the BEC landscape for the foreseeable future.”

So why does this shift in attacker behaviour matter? For one, it means the ultimate victims of financial supply chain attacks are not in control of the initial compromise, which makes it more important than ever for companies to maintain a robust understanding of their supply chain. To solve this problem, Abnormal Security uses unique AI ​​to precisely baseline good behaviour across internal and external identities and communications. The proprietary VendorBase technology identifies all vendors in a customer’s ecosystem to understand individual risk level, using a federated database across all Abnormal customers. By recognising when a vendor may have a high risk of fraud, Abnormal knows when an email should be more heavily scrutinised for malicious activity, effectively preventing all forms of financial supply chain compromise.

To learn more about financial supply chain compromise and download the full report, please visit