What Is Vendor Email Compromise (VEC)?

August 6, 2023

A new cyber threat that impacts individuals and organizations has developed, with financial transactions completed on digital platforms or by email. Business Email Compromise (BEC)– also known as email account compromise (EAC)— is one of the most financially damaging online crimes. Many people rely on email to conduct business transactions, which BEC exploits.

In a BEC scam, an email will look as if it came from a known and trusted source and makes a request from the receiver. Below are some common BEC scenarios:

A supplier that your company frequently interacts with sends an invoice containing a revised postal address.
The CEO of a company instructs an associate to purchase numerous gift cards to give as rewards to employees. She requests the serial numbers so she can send them out immediately.
A prospective homeowner receives a communication from his title company providing guidelines on transferring his down payment electronically.

While BEC is common, many overlook a specific type of email compromise known as Vendor Email Compromise (VEC). VEC schemes have increased over the past several years as cybercriminals gain entry into vendors’ email accounts and change payment instructions to divert payment to themselves. Hackers focus on hijacking vendor email “threads” so they can gather context over communications that the vendor sends and receives. VEC happens when vendors use poor passwords, and the hacker utilizes an actual password dictionary to crack the weak password. Once gaining access to the vendor’s email, the hacker collects details such as invoice structure, personal writing tone, and customer emails so they can write emails that sound legitimate. Since they used the vendor’s password, this can go undetected.

Once the hacker diverts funds to themselves, it is often too late to retrieve fraudulently diverted funds when the legitimate vendor notices a payment was not received and notifies the sender/customer.

The best way for accounts payable personnel and clients to prevent VEC is to be aware of the red flags associated with this type of fraud. Below are some things to do to avoid VEC:

Be vigilant whenever payment information changes, such as account numbers or bank routing information.
Ensure there is a robust validation process, such as calling the vendor using the phone number on file to verify any changes.
Wait before sending funds until payment verification is determined to ensure the vendor is legitimate.

Individuals should never respond directly to the email containing the requested payment changes, as the fraudster could be communicating by “spoofed email.”

The first defense against protecting yourself from VEC schemes is awareness; knowing about current scams will help you see the red flags and identify fraudsters. Commercial clients can eliminate VEC risk by using online business banking electronic funds transfers to protect their account details using their login and password.

If you or your company become a victim of VEC, please contact your Private Banker immediately since time is of the essence when attempting to recover funds from a VEC scam.