The Hidden Cost of Trust: New Data Reveals Alarming Employee Engagement with Vendor Email Compromise

Your workforce is your greatest asset, and your vendors are integral to the success of the enterprise. It's no surprise, then, that cybercriminals are targeting both, exploiting the trust in these partnerships to deceive, defraud, and divert funds.

Much like traditional business email compromise (BEC), vendor email compromise (VEC) involves the misuse of a familiar identity. In these attacks, however, the person being impersonated is an external third party rather than an internal employee. Posing as trusted partners, threat actors attempt to trick targets into paying fake invoices, initiating fraudulent wire transfers, or updating banking details to reroute funds into attacker-controlled accounts.

To understand just how effective these attacks have become, we conducted an extensive study of real-world employee behavior. Today, we're releasing research that exposes the startling extent to which employees engage with these deceptive attacks—and the results should serve as a wake-up call for every organization.

From March 2024 to March 2025, we monitored the email environments of more than 1,400 organizations of various sizes across multiple industries. These companies had implemented Abnormal in passive, read-only mode, which means the platform was integrated with the organization's mail client but not actively blocking attacks.

This allowed us to observe unfiltered employee behavior and analyze engagement with text-based advanced email attacks—e.g., business email compromise, vendor email compromise, reconnaissance, and extortion. Our findings were eye-opening and revealed that employees frequently struggle to differentiate between legitimate messages and attacks, especially when those emails appear to come from a known vendor.

VEC attacks consistently drove either the highest or second-highest rates of replies and forwards, irrespective of organization size, industry, or geographic location. Over the course of the observation period, attackers also attempted to steal more than $300 million through VEC, emphasizing the significant financial risk these threats pose.

Employees in the largest organizations—i.e., those with a workforce of 50,000 or more—had the highest rate of second-step engagement with vendor email compromise. After reading a VEC message, they took additional action 72.3% of the time.

Another way to think about these percentages is this: if employees at a company read 10 VEC attacks, at least two and up to seven of those messages will be replied to or forwarded.

The natural, and understandable, assumption here is to make a connection between VEC volume and engagement rate. While the probability of receiving a VEC attack does typically increase with the number of mailboxes, the baseline attack rate is a non-issue here.

To enable cross-organizational comparison, we standardized the data by using only attacks that were read, eliminating volume as a variable and allowing conclusions to be drawn based on user behavior rather than incident frequency. The true variables are instead the number of employees and the number of vendors. Every partner represents another entity that can be impersonated or an account that can be compromised, and every member of the workforce represents a potential target—a human that is far from infallible.

Interestingly, enterprises with more than 50,000 employees actually had the lowest read rate of any organization size band, showing that the threat doesn’t stem from volume alone, but from how employees behave after opening the email.

Industry type emerged as a critical factor in VEC susceptibility, with engagement rates varying dramatically based on operational characteristics.

At 71.3%, the second-step engagement rate for the telecommunications industry is by far the highest of any vertical, dwarfing the 56% observed in energy/utilities providers, which ranked second.

Telecommunications organizations depend on complex networks of vendors, resellers, infrastructure providers, and technology partners to deliver services. They also have large, geographically distributed teams, including field technicians, regional offices, and 24/7 operations centers. This creates an environment where email serves as a critical coordination channel between internal teams and external partners.

In an industry where disruptions and delays can have wide-ranging impacts, employees may feel compelled to act quickly when a message appears related to service interruptions or contract issues. The pressure to maintain uptime—reinforced by SLAs and internal expectations regarding responsiveness—can result in employees bypassing verification processes in favor of speed.

Another notable trend was the clear correlation between an employee's organizational role and their likelihood of engaging with vendor email compromise attacks.

Sales-focused roles are heavily represented among the job categories with the highest second-step engagement rates, holding three of the top four spots. These positions rely primarily on email correspondence, are typically among the most public-facing in an organization, and often involve interacting with various departments. Additionally, these roles are traditionally commission-based, meaning employees are financially incentivized to be helpful, respond to inquiries quickly, and resolve issues promptly.

Though not sales-oriented, Project Management’s secondplace position is unsurprising. While “Project Manager” and similar titles can encompass a wide variety of responsibilities depending on industry and department, the fundamental goal remains the same: ensure projects are completed on time. Thus, if they receive an email seemingly related to a matter that could impact the progress of a project, they would be highly motivated to take steps to address the issue as quickly as possible.

Every time an employee has to decide whether an email is legitimate, the risk of human error enters the equation. And if they're wrong, cybercriminals won't hesitate to capitalize and cause financial consequences that ripple across the enterprise.

Today's threat actors know how to "hack the human" and continually develop new strategies for manipulating employees. They exploit human trust, compromise legitimate vendors, and weaponize routine business workflows.

The challenge is that organizations have limited control over their vendors' security postures and can only take steps to ensure their vendors' vulnerabilities can't be used against them. While security awareness training helps reduce the likelihood of employees engaging with threat actors, it's not enough on its own. Humans can't be your last line of defense.

The only effective strategy is to remove the burden of detection from employees entirely. That requires an innovative security solution—one that leverages AI to analyze identity, context, and content and builds behavioral baselines for every employee and vendor in your cloud environment. By understanding an organization’s unique communication patterns, an AI-native email security platform can detect subtle behavioral anomalies that traditional tools miss, enabling it to flag suspicious communications and automatically remediate threats before they reach employee inboxes.

Precision matters—because detecting what doesn't belong starts with understanding what does.

For even more insights into vendor email compromise engagement rates, download our report, Read, Replied, Compromised: Data Reveals 44% Engagement Rate with VEC Attacks.