Midsize businesses occupy a precarious position in the cybersecurity landscape. They are large enough to process significant financial transactions and maintain extensive vendor relationships, yet they often lack the dedicated security teams and enterprise-grade defenses that protect larger organizations. Attackers have taken notice, and vendor email compromise (VEC) has emerged as a common and costly threat for this segment.

Unlike traditional phishing attempts that rely on obvious red flags, VEC attacks exploit the implicit trust built into existing business relationships. When a fraudulent invoice arrives from what appears to be a legitimate vendor account, the typical warning signs can be much harder to spot. The email address may be real. The communication style may match previous exchanges. The only thing different is where the money ends up.

This article draws from insights shared in a recent SecurityWeek webinar on why midsize organizations need a new approach to email security. Watch the webinar recording to hear detailed threat analysis and live attack demonstrations.

• VEC attacks leverage compromised vendor accounts to reduce the effectiveness of controls that focus on sender reputation alone.

• Midsize businesses often face disproportionate risk because they have meaningful payment authority but lean security and finance resources.

• Attackers commonly use legitimate platforms (for example, SharePoint) to make malicious links and files look routine.

• Behavioral AI can help surface anomalies that rule-based controls may miss by modeling "known good" communication patterns.

Vendor email compromise is a form of business email compromise (BEC) where attackers do not just impersonate a trusted party; they compromise or infiltrate a legitimate vendor account and use that access to execute fraud. This distinction matters because it changes what defenders can rely on.

In a standard BEC attack, an attacker might create a lookalike domain or spoof an executive's email address. These tactics often leave detectable fingerprints such as authentication failures, domain age discrepancies, or sender reputation anomalies. VEC can significantly reduce those signals by operating through authentic vendor infrastructure, which means the email can look "normal" to both humans and many legacy controls.

A common attack chain looks like this: attackers compromise a vendor's email account (often via credential phishing), study previous communication patterns and billing workflows, then time a payment-change request to blend into real invoice activity.

This is also why traditional email gateways (SEGs) may struggle with VEC. Gateways are strong at stopping known-bad infrastructure and commodity threats, but they are not always designed to reason about whether a legitimate sender's behavior matches the established relationship context.

Midsize organizations tend to sit in a "high value, lower friction" band that makes vendor fraud attractive.

Midsize organizations often offer the right combination of payout potential and process gaps.

Common characteristics attackers look for include:

• Meaningful Payment Volume: Enough invoices, wires, and vendor spend to make fraud attempts worthwhile.

• Many Vendor Relationships: A broader third-party footprint creates more opportunities for a compromised partner account to reach AP teams.

• Lean Approval Chains: Fewer layers of review can make it easier to slip in a convincing "new bank details" request.

• Limited Detection Coverage: Smaller security operations can mean fewer eyes on subtle relationship and behavior anomalies.

As Jeffrey Ciferno, Engineer at Abnormal, noted in the webinar: "A lot of the smaller and midsize companies often think that they might not be a prime target, but that is absolutely not the case."

Lean teams make it hard to apply consistent scrutiny to every vendor message.

In many midsize companies, a small security group supports the entire environment, while accounts payable and finance teams are pressured to keep business moving. That combination creates a predictable weakness: decisions default to individual judgment under time pressure.

VEC campaigns are built for that exact environment. Because the message originates from a real vendor account, security tooling and human reviewers may see fewer obvious red flags. Without a clear, enforced process for validating payment changes, a single convincing email can translate into real financial loss.

Most VEC campaigns follow a repeatable pattern: compromise, observe, and then exploit business trust.

VEC typically starts with an attacker gaining access to a legitimate vendor mailbox.

Attackers often do this through credential theft aimed at your suppliers, not you. That creates a blind spot: your organization generally cannot enforce your vendor's MFA policies, endpoint controls, or monitoring coverage. Once the vendor account is compromised, the attacker inherits the vendor's sending reputation and existing conversation history.

After access, attackers usually invest time in learning the relationship before attempting fraud.

They review prior threads, invoice formats, payment schedules, and the names of internal employees involved in approvals. That reconnaissance helps them craft payment-change requests or "updated remittance instructions" that align with existing workflows.

This is also where VEC becomes difficult to identify with generic phishing heuristics. The language can be consistent with past correspondence, the sender is legitimate, and the request may arrive in the middle of a real billing cycle.

When attackers execute, they often use delivery techniques that look routine on the surface.

One common approach is to hide content inside unusual attachment wrappers (for example, .eml files) in ways that may receive different handling by certain tooling. Another approach is to host content on legitimate platforms like SharePoint or Dropbox so that links appear consistent with normal business collaboration.

As Zafferno explains: "They're leveraging a third party organization's SharePoint tooling to bypass click time protection. Threat intelligence does not see SharePoint dot com as inherently malicious."

VEC detection starts with looking for context and process anomalies, not just classic phishing indicators.

Key warning signals include:

• Unusual Payment Requests: Any request to change bank account details, modify wire instructions, or route payments to new accounts should trigger verification procedures regardless of sender legitimacy.

• Subtle Communication Anomalies: Slight changes in tone, unusual urgency language, or requests that bypass normal approval processes can warrant scrutiny, even from known contacts.

• Behavioral Inconsistencies: Messages arriving at unexpected times, from atypical locations, or with unusual content patterns can indicate something is wrong even when sender authentication passes.

• Obfuscated Attachments: Files wrapped in unusual formats (such as .eml) specifically to evade scanning are a red flag.

• Platform Exploitation: Legitimate sharing services used unexpectedly, or links to hosted documents that do not match normal business workflows.

Reducing VEC risk requires combining process controls with detection that accounts for relationship context.

Process is your first line of defense against payment fraud initiated through email.

Implement out-of-band verification for any payment changes. Confirm through a phone call to a known number, and avoid using contact information provided in the email requesting the change. Document who can approve payment changes, what evidence is required, and how exceptions are handled.

You can also strengthen vendor onboarding by capturing expected communication patterns (for example, which domains, contacts, and typical request types are normal). The better you define "normal," the easier it is to spot abnormal behavior.

Behavioral analysis can help you detect VEC by focusing on what is unusual for a specific relationship.

Rather than asking only "is this sender known-bad?", behavioral AI evaluates whether a message matches established patterns across sender behavior, relationship history, and message intent.

That approach can help surface anomalies that rule-based tools may not prioritize, such as a vendor suddenly requesting a payment change outside their typical cadence, using atypical language, or sending from an unexpected environment.

Midsize teams benefit most from tooling that reduces operational drag.

Look for workflows that streamline investigation and response, such as automated triage, clear verdict explanations, and consistent handling of user-reported messages. The goal is to reduce manual back-and-forth while keeping humans in the loop for high-risk payment workflows.

Simpler email security architectures are often easier to operate and easier to audit.

Many organizations run overlapping controls (a third-party SEG plus native Microsoft or Google protections plus additional point tools). In practice, that can create gaps in ownership, unclear alerting paths, and inconsistent user experience.

A streamlined approach that pairs platform-native protections with behavioral detection can improve coverage against socially engineered threats while reducing the day-to-day burden of managing multiple consoles.

Most VEC failures are process and context failures, not purely technical ones.

Over-Relying on User Training: While security awareness training matters, asking employees to consistently spot sophisticated VEC attempts can put too much responsibility on non-security staff.

Trusting Sender Authentication Alone: DMARC policy, SPF authentication, and DKIM authentication help verify sender identity, but they do not tell you whether the sender's account is being operated by the legitimate user.

Reactive Rule Creation: Writing new rules for the last invoice scam you saw can leave you stuck in a cycle of catching yesterday's patterns.

Ignoring Behavioral Context: Controls that ignore relationship context can miss attacks designed to look like routine business.

The impact of VEC extends beyond a single fraudulent payment.

According to the FBI IC3, BEC losses totaled $2.77 billion across 21,442 reported incidents in 2024 alone. And those are just the cases that were reported. A successful VEC event can trigger costly investigation time, operational disruption, strained vendor relationships, and potential compliance implications, depending on what information was exposed or what downstream systems were touched.

For midsize organizations, the most practical way to reduce loss is to treat vendor payment changes as a high-risk business process. Pair strong verification procedures with email detection that can surface "looks legitimate, but behaves wrong" messages before they reach the wrong approver.

Vendor email compromise is a shift in attack methodology that exploits trusted relationships and real accounts.

For midsize businesses, the risk is not theoretical: vendor workflows move money quickly, and lean teams make it harder to apply consistent scrutiny to every message. Strong verification processes, combined with detection that understands relationship context, can meaningfully reduce exposure.

Abnormal's Behavioral AI is designed to help detect VEC by modeling known-good communication patterns and surfacing the subtle anomalies that rule-based controls often miss. It integrates alongside your existing email security stack to enhance coverage against socially engineered threats without adding operational complexity.