It is all too common for organizational narratives to go something like this: A contractor for a construction firm requests an electronic payment for work performed, a departure from the process of sending paper checks at steady intervals. The considered request is then referred to the construction firm’s bank, which requires a notarized form to be completed in exchange for release of the payment. This request is then fulfilled and more than $700,000 is deposited into the contractor’s bank account.
Unfortunately, the contractor was actually a threat actor who successfully accessed the legitimate account through a phishing campaign, embedded themselves into email conversations, created an impressive forgery complete with a realistically represented notarized document, and vanished into thin air with three-quarters of a million dollars.
This very real story reported on in Engineering News-Record is a prime example of not only the alarming trend in wire transfer and banking fraud catalyzed from a phishing campaign, but an equally immense problem regarding third-party vendors. In this particular case, a host of third-parties contracted by the construction firm—who is ultimately on the hook for the stolen money—are facing a lawsuit alleging “fraud and breach of contract [having]…failed to ‘exercise due care’ in maintaining and securing its email systems to prevent its use in harming third parties”1.
A third-party vendor is an external entity contracted by an organization to provide specific services or products. The vendor’s responsibilities include delivering agreed upon services, maintaining quality standards, and adhering to contractual obligations, including confidentiality and data privacy. Third-party vendors play a crucial role in the organization’s operational efficiency.
As organizations become more specialized in what they deliver, it becomes increasingly important for them to work with outside vendors for complementary products or services, like software, payroll, or sub-contracting work. With the onboarding of each additional business partner, the potential vulnerabilities open to the contracting company increase.
Third parties are great partners and resources, necessary to develop and enhance business opportunities. In most cases, these relationships are mutually beneficial; however, there are associated risks. According to data published by the U.S. Securities and Exchange Commission (SEC) from a Security Scorecard study, 98% of companies are associated with a third party that has experienced a breach2.
One reason for these risks is the lack of control of data and data flow. Third parties, in a sense, control certain components of partner data and overall accessibility. In other words, you cannot control what you cannot control. If the vendor fails to update their software, succumbs to a security issue, or is breached themselves, the repercussions will trickle down to the contractor. This is seen time3 and time4 and time5 again.
Another risk is that data sharing is inherently perilous. The more data that is shared—sent back and forth because it is housed in disparate locations—the greater the potential for misuse, abuse, or malicious theft. Data mishandling is one core component of human error6 that is attributable to the overwhelming number of data breaches. As more humans and entities are added to the data stream, the level of risk naturally increases.
Given these risks and the significance they play in connection to the global supply chain, neither of which are possible to entirely erase, there are some mitigation strategies organizations can employ to manage risks associated with third parties. In no particular order:
A recent report published7 by global business consulting firm Protiviti further highlights both the perception and gravity of the challenges facing organizations regarding third party vendors. In their “Executive Perspectives on Top Risks for 2024 and a Decade Later”, third-party risks are the 4th greatest concern this year and 6th projected for 2034. Cyber threats, which are inextricably linked, rank 3rd this year as first for 2034.
While an immense amount of work can be done to mitigate these challenges—several of which were previously noted—there is no indication such risks are expected to lessen in severity or frequency.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Protiviti. Executive Perspectives on Top Risks for 2024 and a Decade Later. 2024, https://www.protiviti.com/sites/default/files/2024-03/nc-state-protiviti-survey-top-risks_2024-2034.pdf.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2025 SpearTip, LLC. All rights reserved.