A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies.

A new cybercriminal group, identified as Silent Starling by researchers at Agari, ran these malicious email campaigns. The fraudsters hacked the email accounts of employees working in the target’s finance department and gathered as much information as they could from their inboxes. In the end, the scammers sent them perfectly timed payment requests accompanied by fake invoices.

Since late 2018, over 700 employee accounts from more than 500 companies in the United States and over a dozen other countries have been compromised. Consequently, more than 20,000 sensitive emails have been harvested.