Evolved Email Scam Threatens Companies’ Vendors

Attention all credit professionals! By now, the majority of you are at least familiar with the business email compromise (BEC) scam used by fraudsters to gain access to company information—usually finances—in the guise of an email from a fellow employee, e.g., manager, CEO, etc. However, scammers are no longer just after companies; they after companies' customers too.

A recent report from security firm Agari revealed scammers are using BEC to get finance departments' aging reports that detail overdue customer invoices. The scam continues when they then use the aging reports to contact companies' customers and pretend to be a representative from the company who is calling to collect. Scammers often ask customers to pay via ACH or wire to a new account.

Known as VEC, or vendor email compromise, security firms have seen scammers wreak havoc, with businesses losing as much as $300 million per month due to BEC, according to the U.S. Treasury Department.

"Payment invoice scams accounted for nearly half of those fraudulent transactions in 2018, to the tune of more than $1.5 billion in business losses," Agari reported. "That number is likely to be even higher when cybercriminals gain access to legitimate email accounts and use them to run their scams."

The security firm noted VEC attacks appear as a "legitimate correspondence from the compromised vendor," therefore, they pose a larger threat than BEC.

—Andrew Michaels, editorial associate