Attackers have turned the supply chain and partner ecosystem into another threat vector. Proofpoint has observed attackers leveraging compromised supplier accounts and supplier impersonation to send malware, steal credentials and perpetrate invoicing fraud.
Proofpoint’s recent research indicates that 98% of nearly 3,000 monitored organizations across the U.S., UK, and Australia, received a threat from a supplier domain over a 7-day window in February 2021. And this is consistent across company size, industry, and country, suggesting that companies of all sizes and industries are exposed to supplier risk and that it’s a universal concern.
What Supplier Threats Look like
Most people think about supplier threats as invoicing fraud. However, our research indicates that attackers use suppliers and business partners to send all types of threats, including phishing for credentials (Account Takeover), malware, and impostor threats like business email compromise (BEC).
The research shows that threats from impersonated and compromised suppliers are more likely to lean on social engineering to prey on human nature, with 74% of threats being phishing or impostor. Less than 30% of threats sent from supplier domains were malware related. The result is further evidence that attackers are targeting people rather than the vulnerabilities of the infrastructure of an organization. As well, attackers are following suppliers to the cloud and are exploiting popular collaboration platforms such as Microsoft 365, Google G-Suite, and Dropbox to host or send threats at an alarming rate.
Not surprisingly, impostor threats, such as domain spoofing, display name spoofing, and lookalike domains, only account for 3% of total threats sent from supplier domains. Unlike those wide-spread commodity threats, this type of threat is highly targeted at very few people within an organization.
While email fraud threats are low volume, highly targeted, they often represent large dollar losses. Proofpoint has observed and stopped supplier invoicing fraud attacks in the millions of dollars. In fact, according to the FBI’s 2020 annual Internet Crime Report, Business Email Compromise (BEC) and Email Account Compromise (EAC) scams account for the largest financial loss in 2020, costing the victimized business nearly $1.9 billion.
While no organization is immune to threats from supplier domains, large organizations tend to be targeted more. Not only do F1000 customers receive mail from twice as many supplier domains as the average customer, and thus have greater exposure to threats from impersonated and compromised suppliers, but they are also targeted by a higher proportion of supplier domains. They received over 4 times more messages with threats from supplier domains than the average customer over the 7-day window.
Other Findings from Our Research
The percentages of organizations receiving threats from supplier domains in Financial Services, Manufacturing, Utilities/Communications/Transportation, Wholesale Trade, Construction were 98%, 99%, 98%, 99%, and 100% respectively. The trend is consistent not only across various industries, but also across different regions— 98% of US-based, 100% of Australia-based, and 99% of UK-based organizations have received threats from supplier domains.
There’s no silver bullet for supply chain threats. To better defend against threats from impersonated and compromised suppliers, organizations need a holistic, multi-layered solution. Proofpoint provides a comprehensive, integrated threat protection platform that stops threats sent from compromised or impersonated suppliers, trains end-users to spot and report suspicious email, automates incident investigation and response, and provides visibility into which suppliers pose risk.