Risks posed by supply chain phishing attacks

Posted by Joel Miller on Sunday, January 30, 2022

Reading time: 4 minutes

Listen to this article instead
waveform image for audio


Recently, a new wave of phishing emails had been identified hitting servers targeting business supply chain. While supply chain phishing is not a new concept, the technique employed with this new campaign seems to drift somewhat from the usual, increasing the risks to businesses unprepared for an attack such as this.

What are supply chain attacks?

From phishprotection.com 1:

As the name suggests, supply chain attacks are when attacks on one’s supply chain (involving third-party providers and partners) enable adversaries to infiltrate its system.

Targeting a business' supply chain not only threatens the business directly, but can create lingering impacts on the supporting industries that help make up its ecosystem.

Allowing an attacker to gain access to email accounts inside a business potentially allows for a significant amount of reconnaissance to take place about that business' habits. Understanding who is in contact with whom, and in what context, can allow a malicious third party to build a theoretical value from the snapshot of that business' email traffic. Should there be an overall low value determined, the attacker could simply decide to use the compromised account(s) to spread to other accounts in connection with them. However, should the value be determined to exceed whatever threshold, it could then be added into a more targeted spear phishing attack where more time and effort becomes expended by an attacker based on the calculated return potential.

From proofpoint.com 2:

While email fraud threats are low volume, highly targeted, they often represent large dollar losses … In fact, according to the FBI’s 2020 annual Internet Crime Report, Business Email Compromise (BEC) and Email Account Compromise (EAC) scams account for the largest financial loss in 2020, costing the victimized business nearly $1.9 billion.

A link to the FBI’s 2020 IC3 report can be found here.

From agari.com 3:

When a supplier’s email accounts are compromised, fraudsters are able to monitor email communications and gather valuable intel. Their malicious emails emulate the look and feel of actual correspondence from the compromised supplier, including key details from recent email conversations.

The period of time allowed for a spear phishing attack can be lengthy, if not infinite. Should the originating attacker exhaust themselves, they may decide to sell key intelligence data to another threat group perpetuating the business threat.

Picture of phishing

Even access to a low level employee’s email account could be all that’s necessary to provide enough intelligence data to an attacker, or provide means to pivot to additional accounts inside the organization; some of whom may be holding access to even more sensitive data.


According to a report by Verizon in 2021 which evaluated a total of 79,635 breaches, phishing was participant in 36% of the breaches surveyed, and expected to rise. Some phishing may incorporate spoofed links that connect a user to sites that resemble legitimate businesses allowing for credential harvesting to take place. Credential harvesting maintains a relatively high target of value for most threat actor groups as login data is some of the fastest and easiest data to extract from an organization through phishing.

Another key statistic from Verizon’s breach report is that “95% of business email compromise (BEC) losses were between $250.00 and $984,855, with $300,000 being the median” for those breaches that reported a loss. What this value does not necessarily evaluate is the damage to a business' image as a result of an attack that includes unauthorized access to sensitive data.

Data included in ESET’s 2021 threat report also states that email threats have seen a 7.3% increase, noting emails that include malicious document macros have been seen to decline while phishing and fraudulent emails are flourishing.

Security awareness training should be a key part of any organization at this point in time. If your goal is to limit and reduce the amount of incidents experienced, making sure the people who make up your company are well trained on how to spot phishing emails. I plan to go further in detail on this in the near future.

Special Note

Once a business email compromise takes place, the intelligence gathered about the content in emails received could provide sufficient data necessary to create spoofed websites that closely resemble the legitimate ones they access. This is why it is very important not to access links in emails when known trusted links exist in browser bookmarks as discussed previously.


Phishing that targets supply chain business can be a serious threat, and often indicates specific industries or companies being actively targeted by a threat group. No business or industry is immune to this type of attack, and is absolutely necessary to be considered in conversations surrounding what risks a business should be concerned about today. As with all risks, they must be carefully evaluated as to the extent they may impact the business. It’s clear though, that businesses will continue to face risk of business email compromise as a result of phishing attacks.


  1. https://www.phishprotection.com/blog/basics-of-phishing-what-is-supply-chain-attack-and-why-wary-business-owner/  ↩︎

  2. https://www.proofpoint.com/us/blog/email-and-cloud-threats/98-organizations-received-email-threats-suppliers-what-you-should-know  ↩︎

  3. https://www.agari.com/email-security-blog/phishing-bec-supply-chain/  ↩︎

comments powered by Disqus