Vendor Risk Management: Lessons from a Business Email Compromise

Australian organisations reported losses to scammers from business email compromise of more than $152.6 million last year, an annual increase of 66%.[1] This risk is accelerating as cybercriminals target vendor relationships at scale. As directors, the greatest vulnerability may not lie within your own systems but in the unseen weaknesses of your vendor network. With nearly 70% of organisations failing to conduct due diligence on key suppliers[2], the market is exposed to unprecedented levels of cyber-enabled fraud. Are you confident your supplier data is truly secure?

A recent investigation into a business email compromise revealed how a threat actor exploited weaknesses in vendor management processes to orchestrate a significant financial fraud. The incident underscores the evolving nature of cyber-enabled fraud and the critical role business leaders play in overseeing vendor risk.

A case study of cyber-enabled fraud

In this case, the fraudster infiltrated the vendor data team by impersonating the accounts contact of a major supplier. The deception unfolded in stages. First, the attacker requested updates to the supplier’s contact details including the contact email address. Once the new fraudulent contact was in place, the attacker asked for copies of recent invoices—building credibility and context. Finally, the attacker submitted a request to update the supplier’s bank account details. When the next invoice was paid, the funds were transferred directly to the fraudster’s account.

This methodical approach bypassed traditional verification processes. The vendor data team relied on publicly available contact information and website details to validate the change, unaware that these sources had also been compromised. The absence of multi-factor authentication (MFA) and secure change management protocols created an environment in which the fraud could succeed.

The organisation’s response was swift. Internal teams launched an investigation, notified stakeholders, and worked with financial institutions to trace the funds. The Board was also engaged early, recognising the broader implications for governance and vendor oversight.

This incident highlights a critical shift. Vendor risk is no longer confined to financial or operational exposure; it now includes cyber-security and fraud resilience. Directors must ensure that their organisation is responsive to the rapidly changing cyber and financial crime landscape and that vendor management frameworks are equipped to detect and prevent sophisticated fraud attempts.

Key recommendations for Boards include:

• Ensure Board members are appropriately informed about the risks posed by the changing technological environment and emerging cyber threats in areas such as vendor risk management. This may include supplementing the skills on the Board, or appointing advisors to the Board.

• Ensure management maintains an adaptable vendor risk plan, regularly assesses data security gaps, and provides the Board with ongoing updates on remediation efforts.

• Review the enterprise cyber risk management plan to ensure it is embedded at the enterprise level and protocols go beyond surface-level checks.

• Request regular reporting on fraud risk and evaluate the organisation’s exposure across third-party relationships. Periodic updates should include insights from fraud risk assessments and data analytics that highlight suspicious patterns and inform control enhancements. Internal auditors or external advisors can evaluate the effectiveness of vendor risk controls and ensure reporting includes benchmarking against industry best practice and regulatory guidance.

• Discuss with management (if not already contemplated) the inclusion of key aspects of fraud risk and cyber risk management plans, such as:

  
  Secure change management practices: Ensure management’s preparedness relating to vendor management frameworks are robust. For example, updates to vendor details especially banking information are subject to independent verification. Are change management systems resilient to manipulation and aligned with fraud risk controls?

  Encourage reliance on trusted communication channels: Recognise that publicly available information, such as company websites and email addresses, can be spoofed. Preapproved, secure channels should be standard.

  Embed fraud awareness and capability across vendor governance: Personnel responsible for maintaining vendor records require targeted fraud risk training, should operate within a robust internal control environment and be equipped to identify and escalate suspicious requests. Boards should assess whether they have directors with cyber and fraud risk expertise and consider appointing external advisors or investing in training as needed.

Directors have a vital role in setting expectations for vendor risk management. While operational teams manage the day-to-day, governance frameworks must evolve to address the increasing sophistication of cyber-enabled fraud. By embedding robust controls and fostering a culture of vigilance, directors can reduce exposure and strengthen organisational resilience.

[1] AFP: Criminals target construction sector with Business Email Compromise scams | Australian Federal Police

[2] McGrathNicol: risk-and-security-report-2025_web.pdf