TLDR
Attacker compromises a vendor's mailbox (phishing, infostealer), monitors invoices in the Sent folder, then at the moment of next invoice replies to the live thread with 'we changed banks, please remit to new IBAN'. Looks 100% genuine —...
How it works
Attacker compromises a vendor's mailbox (phishing, infostealer), monitors invoices in the Sent folder, then at the moment of next invoice replies to the live thread with 'we changed banks, please remit to new IBAN'. Looks 100% genuine —...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1DO: enforce a CHANGE OF IBAN callback policy — voice verify on a number you held PRIOR to the change request.
Source
Material-Security-VEC-Report
Source reviewed by Mythos Forensic Team
https://material.security/use-cases/stop-business-email-compromise-bec-and-vendor-email-compromise-vecFAQ
Is Vendor Email Compromise — legit thread hijacked with IBAN change (VEC +66% H1 2024) a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
DO: enforce a CHANGE OF IBAN callback policy — voice verify on a number you held PRIOR to the change request.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.