Most organizations continue to treat business email compromise (BEC) as a predominantly insider impersonation problem: an attacker posing as an employee, executive, or internal department. Our recent analysis of nearly 800,000 email attacks suggests that framing applies to less than half of BEC.

The 2026 Attack Landscape Report reveals that approximately 61% of all BEC involves the impersonation of an external third party. The report also reveals a more precise pattern: threat actors do not choose their methods arbitrarily, nor do they invest more effort than necessary. Technique, pretext, and target selection all follow a consistent logic, one that tracks closely with what each fraud type requires to be credible. When a request requires little credibility, attackers default to impersonation. When it demands trust, they are more likely to compromise a real vendor account.

This article is the third post in our series on the report’s findings, following earlier installments on BEC and phishing. Here, we focus on vendor email compromise (VEC): how the four major pretext types—invoice inquiry, billing account update, request for quote (RFQ), and payment inquiry—operate, how attackers choose between impersonation and account compromise, and which industries and roles face the greatest exposure within each.

Billing, procurement, sales, and vendor management depend on external communication. Every day, employees exchange emails with suppliers, contractors, agencies, service providers, and prospective customers about invoices, payment status, banking details, and money already expected to move.

VEC hides inside the routine mechanics of business, exploiting operational context and ordinary workflows to manipulate employees. A message about an invoice does not inherently seem suspicious to accounts payable. A request to update billing details will look unremarkable to a finance team. A quote request from an unfamiliar company is just another lead for the sales team.

The scale of modern supply chains compounds the problem. Most organizations work with dozens or hundreds of vendors, and no single employee can be fluent in every vendor's communication patterns, invoicing norms, or usual points of contact. Threat actors exploit that gap, using spoofed sender addresses, lookalike domains, and in some cases, genuinely compromised vendor accounts to make their messages indistinguishable from legitimate correspondence.

Among high-risk VEC campaigns with verified categorical labels, four attack pretexts account for the full distribution:

• Invoice inquiry: 41.3%

• Billing account update: 23.6%

• Payment inquiry: 19.8%

• Request for quote (RFQ): 15.3%

Across all four, the vast majority of attacks use impersonation—an attacker creating a lookalike email address or spoofing a known vendor—rather than compromising the vendor's actual account. Overall, 87.5% of high-risk VEC cases are impersonation-based, while just 8.95% involve a genuinely compromised vendor account.

But the top-line number obscures the more important insight: compromise rates aren’t uniform across pretexts. They vary depending on the amount of credibility the pretext requires to succeed.

Invoice inquiry is the most common VEC pretext, accounting for 41.3% of high-risk VEC campaigns. These attacks typically involve a fraudulent or manipulated invoice intended to trigger payment to an attacker-controlled account. This is the volume play of vendor email compromise.

Invoice attacks do not necessarily require a breached mailbox, a long reconnaissance cycle, or deep knowledge of the target’s internal processes. They are low-effort by design, requiring only a believable vendor identity, a plausible invoice, and a recipient accustomed to seeing payment requests in their inbox.

That explains the technique mix. Invoice inquiry is overwhelmingly impersonation-based: 98.1% of these attacks use impersonation, while only 0.95% involve a compromised vendor account. For attackers, the calculation is straightforward. If a lookalike domain and a professional-looking invoice are enough to get a payment request into review, there is little reason to spend time compromising a real account.

Targeting Spotlight: Media and Entertainment Industry

Invoice inquiry lands hardest in environments where vendor relationships are fluid and invoice volume is high. Media and entertainment is a clear example.

Of high-risk VEC campaigns targeting the media and entertainment industry, 64.7% use the invoice inquiry pretext—the highest among for-profit industries. At the same time, the overall account compromise rate for the industry is just 3.7%, well below the sample average of 9%. That combination is telling, and maps to how the industry operates.

Production companies, studios, publishers, and media agencies often operate through a constantly changing network of freelancers, contractors, production vendors, and creative partners whose relationships begin, end, and rotate constantly. In that environment, an invoice from an unfamiliar name or a newly registered domain may not feel out of place.

The attacker does not need to manufacture an elaborate relationship. The business model provides the cover.

Billing account update attacks are different. Instead of submitting a one-time invoice, the attacker asks the recipient to change the bank account or payment routing details associated with an existing vendor. That is a higher-friction request. It does not simply ask the recipient to pay a bill; it asks them to redirect the flow of future payments.

Most companies with even basic financial controls are trained to pause on banking changes. Threat actors know this, which is why billing account update attacks have the highest compromise rate of any VEC pretext: 73.2% use impersonation, while 26.5% involve a compromised vendor account.

That gap reflects the credibility burden of the request. A lookalike email address may be enough to submit a fake invoice. But when the message asks a company to alter where legitimate vendor payments are sent, impersonation may not survive scrutiny. A message from the vendor’s actual account—carrying the implicit legitimacy of a real business relationship—is much harder to dismiss.

Targeting Spotlight: Government Agencies

Government agencies have the highest rate of billing account update attacks of any industry, with 40.8% of VEC campaigns using this pretext—approximately 1.7 times the sample average of 23.6%. The account compromise rate within those billing update attacks is also elevated at 41.2%, compared to the 26.5% sample average for that pretext. (As a note, the government VEC sample is relatively small, meaning these figures should be viewed as directionally suggestive rather than definitive, but the pattern aligns with the procurement environment.)

Vendor payment changes in government contexts often require documentation, formal approval workflows, and audit trails. That procedural friction makes a generic impersonation attempt less likely to succeed. To overcome it, attackers appear more willing to invest in compromising an actual vendor account before requesting a change to banking details.

The broader VEC data for government agencies reinforces the direction of this pattern. The overall account compromise rate across all VEC attack types targeting government agencies is 20.2%, more than double the sample VEC average of 8.95%, suggesting the shift toward higher-effort techniques extends beyond billing updates alone.

Request for quote fraud operates on a different logic from invoice inquiry or billing account update attacks. Those pretexts exploit an existing vendor relationship; RFQ fraud creates one from scratch.

In these attacks, the threat actor poses as a prospective customer requesting pricing, proposals, or product information. It is a cold inbound inquiry that requires no prior context and no impersonation of a known party. The goal may be to establish a relationship that enables later financial fraud, extract pricing and financial details, or initiate a broader social engineering sequence.

RFQ attacks sit in the middle of the technique spectrum: 78.8% impersonation and 12.8% compromise. Initiating a new business relationship requires more credibility than sending a fake invoice, but less than redirecting an established payment stream.

Targeting Spotlight: Sales and Business Development Representatives

Sales and business development recipients see RFQ fraud at a rate of 40.5%—approximately 2.6x the sample average of 15.3%. That tracks with the role itself: responding to inbound quote requests is a core sales function.

Unlike most VEC pretexts, which succeed by mimicking an existing relationship, RFQ fraud exploits the fact that no prior relationship is needed. A cold inquiry from an unfamiliar company asking for pricing on a product or service isn't suspicious in Sales—it's a lead. The entire function is built around engaging with unknown external parties.

The deal-closing orientation of the role amplifies the exposure. Sales teams operate under pipeline pressure and are rewarded for responsiveness. An unanswered quote request is a missed opportunity, and that urgency reduces the scrutiny that might otherwise catch a fraudulent request. The attacker doesn't need to manufacture urgency the way they would with a fake invoice or billing update; the target's own incentive structure provides it.

Payment inquiry attacks account for 19.8% of high-risk VEC campaigns, making them the third most common pretext after invoice inquiry and billing account updates. These attacks involve direct requests for ad hoc payments that do not necessarily reference an existing invoice or vendor relationship.

Compared with the other VEC pretexts, payment inquiry attacks show less meaningful variation across industries, organization sizes, and job categories. That flatness is itself revealing.

Payment inquiries function like the reconnaissance layer of VEC. They are low-commitment probes designed to identify who will engage before the attacker invests in a more elaborate approach. The technique distribution supports that interpretation: 89% of payment inquiry attacks use impersonation, while only 1.7% involve compromise.

Threat actors taking this approach aren't looking for a specific type of organization or role; they're casting a broad net to find whoever will respond. The absence of a targeting signal reflects the absence of targeting intent.

Defenses built primarily around executive impersonation address less than half of what BEC actually looks like. The report’s findings show that vendor relationships are now central to the BEC attack surface, and each VEC pretext exploits a different business workflow. That means organizations need controls that map to how these attacks actually happen:

• For invoice inquiry, finance teams need stronger verification workflows for new vendors, unfamiliar domains, and unexpected payment requests.

• For billing account updates, organizations need out-of-band confirmation and approval processes that cannot be satisfied by email alone.

• For RFQ fraud, sales and business development teams need training that reflects their specific exposure to cold inbound requests.

• For payment inquiries, security teams need to recognize broad engagement probes before they develop into more targeted fraud.

But process updates alone are not enough. VEC succeeds because it looks like ordinary operations. And when the request comes from a compromised vendor account, even infrastructure-based indicators may appear clean. That is why traditional security tools struggle. Signature-based detection, reputation lists, and static rules are poorly suited to attacks designed to blend into legitimate communication.

The behavioral context matters most: who normally communicates with whom, what they usually request, when payment details change, whether a vendor relationship already exists, and whether the message fits the historical pattern of interaction. Attackers are adapting their tactics to the workflow. Defenders have to do the same.

The threats your organization faces are shaped by how it operates. The 2026 Attack Landscape Report shows you exactly how.