Unmasking Vendor Fraud: Detecting Suspicious Activity in Email Communications
Published 06/04/2024
Originally published by Abnormal Security.
Written by Jake Shulman.
Not all email attacks involve the use of malicious links, malware, or attachments. Increasingly, attackers rely on social engineering tactics to exploit unsuspecting employees. One of the highest value and most pernicious forms of social engineering is vendor fraud.
A typical vendor fraud attack begins with a threat actor sending out counterfeit invoices and redirecting payments to themselves. This is achieved by either impersonating or compromising trusted vendors. Despite being one of the rarest forms of attack, the potential damage it can wreak is significant.
Detecting vendor fraud is a complex task that requires a multifaceted approach. At a high level, you begin by asking the following questions to determine if an email is likely to be fraudulent:
- Is the email related to any financial topic?
- Is there anything suspicious about the sender or the message itself?
- Are there any suspicious signals with respect to the recipient and sender pairing?
- How does this message compare to previous messages from the vendor?
In this article, we’ll discuss how to analyze every message and establish a baseline of normal behavior to detect anomalies and stop vendor fraud.
Identifying Intent
The initial step in detecting vendor fraud is to identify the intent of the message. Is it an attempt to get an invoice paid? Or is it a ploy to extract sensitive financial information? To distinguish the underlying intent, employ a comprehensive approach that includes phrase matching, simple text classifiers, and intent modeling with LLM embeddings.
Phrase matching and text classifiers help establish known patterns of fraudulent requests as well as apply lightweight categorization of messages. LLM embeddings, on the other hand, allow you to have deeper contextual understanding of the message, giving you the ability to categorize never-before-seen text.
This approach equips you with the necessary tools to identify the type of attack you're dealing with. It could be an invoice scam in which the bad actor is attempting to procure payment for an invoice that doesn't correspond to any actual goods or services provided. Or it might be a billing account update scam in which the perpetrator attempts to divert payments to their own account. It could also be wire fraud or any one of the various other forms of financial fraud.
For each of these categories, a different set of signals is required to detect the attack.
Uncovering Suspicious Message Signals
The next step is looking for suspicious signals in the message itself, which can come in a number of forms.
In vendor fraud attacks, threat actors often make requests that, if fulfilled, will have a significant financial impact—for example, updating billing details or submitting invoices with large dollar amounts. Additionally, these messages typically carry a sense of urgency that is not usually present in standard communications. To capture these subtleties, employ a variety of text modeling techniques—similar to the intent modeling process.
First, analyze the sender by studying their email sending patterns and the nature of the emails they deploy. For new senders, stay particularly vigilant about signs of impersonation, such as lookalike domains. Lookalike domains are domains that closely mimic legitimate ones, often by using slight variations in spelling or design. The intent is to deceive recipients into thinking they're interacting with a trusted entity.
Analyzing Sender and Recipient Patterns
After examining the content of the message and scrutinizing the sender, shift your attention to a more comprehensive analysis of behavioral patterns. Take into account various data points, including:
- How often have the sender and recipient communicated?
- How often does the recipient receive invoices or other payment-related emails?
- When they do receive invoices, are they sent from many smaller vendors utilizing free hosting domains like Gmail? Or are they from more established vendors?
By investigating these elements, establish a baseline of normal behavior for each sender and recipient. This enables you to understand how unusual a given message is within the broader context of the recipient and sender’s past communication patterns.
Looking for Anomalies
Finally, in the case of vendor compromise, you have to detect when an email sent from a trusted vendor’s address was actually sent by an attacker who has compromised the vendor’s account. To determine when this is the case, scrutinize normal sending behavior patterns from vendors and closely monitor for any deviations.
Monitor a number of signals that are expected to remain constant between two emails from the same sender. These could be something as simple as the time of day an email is sent to more intricate text-based indicators that form a unique digital fingerprint for each sender. When the fingerprints change and coincide with a suspicious request or other red flag, such as an invoice or billing update, it signals a potential threat.
Having gathered these message, sender, and recipient signals, you are now equipped to form the backbone of your vendor fraud detection strategies.
Related Articles:
CSA Community Spotlight: Nerding Out About Security with CISO Alexander Getsin
Published: 11/21/2024
A Vulnerability Management Crisis: The Issues with CVE
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024