New Trend in Business Email Compromise Emerges as Vendor Impersonation Overtakes CEO Fraud

Latest research from Abnormal Security showcases how threat actors increasingly use third parties to run their scams

SAN FRANCISCO--()--Abnormal Security, the leading AI-based cloud-native email security platform, announced today the release of new research that showcases a rising trend in financial supply chain compromise as threat actors impersonate vendors more than ever before. In January 2022, the number of business email compromise (BEC) attacks impersonating external third parties surpassed those impersonating internal employees for the first time and has continued to exceed traditional internal impersonations in each month since. In May 2022, external, third-party impersonation made up 52% of all BEC attacks seen by Abnormal, while internal impersonation fell to 48% of all attacks. Just one year prior, internal impersonation accounted for 60% of all attacks—marking a 30% year over year increase in third-party impersonation.

Financial supply chain compromise is a subset of business email compromise in which cybercriminals take advantage of known or unknown third-party relationships to launch sophisticated attacks. The goal is to use the legitimacy of the vendor name to trick an unsuspecting employee into paying a fraudulent invoice, changing billing account details, or providing insight into other customers to target. These tactics are increasingly dangerous, with one attack stopped by Abnormal requesting $2.1 million for a fake invoice.

Throughout the report, Abnormal dives into four known types of financial supply chain compromise—vendor email compromise, aging report theft, third-party reconnaissance, and blind third-party impersonation—each with varying degrees of sophistication. Whereas a vendor email compromise attack requires the threat actor to understand business relationships and financial transaction schedules, a blind third-party attack simply leverages traditional social engineering tactics to request payments using pretexts like impending legal actions. While all four types of attacks have seen success, those that use legitimate compromised accounts are extremely difficult to detect and can be disastrous to the companies they target.

“While financial supply chain compromise is not new, the increase in using third-party impersonation tactics is worrisome,” states Crane Hassold, director of threat intelligence at Abnormal Security. “Our threat intelligence team has discovered increasingly sophisticated attacks that are nearly impossible for legacy systems or end users to detect, particularly because they come from real vendor accounts, hijack ongoing conversations, and reference legitimate transactions.”

According to the FBI, business email compromise has exposed organizations to $43 billion in losses over the past six years, and real losses continue to grow year over year, making up 35% of all losses to cybercrime in 2021 alone. This new trend is just one example of the increasing sophistication of these modern email threats, and how cybercriminals continue to evolve and optimize their strategies for success. As employees become more aware of traditional BEC attacks that rely on executive impersonation, threat actors have successfully started to impersonate other entities—often with larger degrees of success.

Said Hassold, “This shift to financial supply chain attacks is another important milestone in the evolution of threat actors from low-value, low-impact threats like spam to targeted high-value, high-impact attacks. And because they are successful, we expect that this external impersonation will continue to rise as a percentage of all attacks, ultimately dominating the BEC landscape for the foreseeable future.”

So why does this shift in attacker behavior matter? For one, it means the ultimate victims of financial supply chain attacks are not in control of the initial compromise, which makes it more important than ever for companies to maintain a robust understanding of their supply chain. To solve this problem, Abnormal Security uses unique AI ​​to precisely baseline good behavior across internal and external identities and communications. The proprietary VendorBase technology identifies all vendors in a customer’s ecosystem to understand individual risk level, using a federated database across all Abnormal customers. By recognizing when a vendor may have a high risk of fraud, Abnormal knows when an email should be more heavily scrutinized for malicious activity, effectively preventing all forms of financial supply chain compromise.

To learn more about financial supply chain compromise and download the full report, please visit

For more information on Abnormal Security, please visit

About Abnormal Security

Abnormal Security provides a leading cloud-native email security platform that leverages AI-based behavioral data science to stop socially-engineered and never-seen-before email attacks that evade traditional secure email gateways (SEGs). Abnormal delivers a fundamentally different approach that precisely detects and protects against the widest range of attacks including business email compromise, phishing, malware, ransomware, social engineering, spam and graymail, supply chain compromise, and internal account compromise. The Abnormal platform delivers inbound email security, internal and external account takeover protection, and full SOC automation. Abnormal’s API-based approach enables customers to get started in minutes and can augment a SEG or be used standalone to enhance native cloud email security protection with Microsoft 365 and Google Workspace. Abnormal Security is based in San Francisco, CA. More information is available at


MikeWorldWide (MWW) for Abnormal Security
Diana Kozak

Release Summary

Abnormal Security releases new threat report showcasing a rising trend in financial supply chain compromise, a subset of business email compromise.

Social Media Profiles


MikeWorldWide (MWW) for Abnormal Security
Diana Kozak