Vendor Email Attacks Surged by 137% in Financial Sector in 2023

The global financial services industry has witnessed a 137% increase in Vendor Email Compromise (VEC) attacks over the last year, according to new data by Abnormal Security.

The majority of these threats were related to socially engineered email attacks, with the sector receiving an average of 200 advanced attacks per 1000 mailboxes each week.

Notably, peak attack periods occurred in late January, late September and mid-December last year.

VEC involves threat actors impersonating business providers, like suppliers or vendors, to manipulate financial transfers. These attacks, often hard to detect due to their apparent legitimacy, can result in substantial financial losses for organizations. 

In a new report published today, Abnormal Security reported instances of VEC attacks targeting millions of dollars, with one case involving a staggering $36m.

A detailed example contained in the document also illustrated the intricacy of a $1.4m VEC attack against an Australian financial holding company. The threat actor, leveraging legitimate communication patterns and invoices, successfully changed banking details in a seemingly harmless email. 

The financial services industry also witnessed a 71% increase in Business Email Compromise (BEC) attacks in 2023. These attacks involved cybercriminals impersonating executives or employees to orchestrate payroll or banking-related fraud. 

Despite lacking malicious links or attachments, BEC attacks easily bypass traditional security tools through social engineering tactics. Abnormal noted that the median open rate for text-based BEC attacks reached nearly 28% last year, highlighting the efficacy of these approaches.

Read more on BEC attacks: BEC Volumes and Ransomware Costs Double in a Year

According to the firm, the sophistication of such attacks, combining authenticity and subtle changes to evade detection, poses a significant challenge to both legacy email security systems and human vigilance.

“If these trends continue, organizations in the financial services industry should prepare for the increasing frequency of email-based attacks targeting human fallibility,” the company wrote.

“While VEC, BEC, and scams can often circumvent traditional security solutions, organizations are meeting the challenges presented by sophisticated email attacks head-on by adopting sophisticated cloud email security.”