In today’s hyperconnected economy, most organizations rely on a complex network of external partners—from logistics providers to SaaS vendors—to keep operations running. But without modern safeguards, that same vendor ecosystem becomes a liability, offering cybercriminals new opportunities to breach.

Vendor Email Compromise (VEC) is rapidly emerging as one of the most financially damaging threats in email security. Unlike phishing or ransomware, these attacks don’t rely on malware or malicious links. Instead, they exploit something far more powerful: the implicit trust placed in vendors.

According to Abnormal’s VEC threat report surveying over 1,400 organizations, 44% of employees engage with VEC attacks, replying to or forwarding messages from threat actors impersonating trusted vendors. In large enterprises employing over 50,000 people, the engagement rate jumps to 72%, exacerbating far-reaching consequences like stolen funds, exposed data, and broken trust.

VEC isn’t one attack type—it’s an evolving portfolio of social engineering techniques that take advantage of the trusted vendor ecosystem. Some of the most common forms include:

• Invoice fraud, where attackers subtly alter the bank account number on a legitimate-looking invoice, sometimes lifted directly from a vendor’s real email history.

• Billing update scams, often framed as internal audits or reconciliation requests, prompting AP teams to update payment credentials without raising red flags.

• Payment fraud, including schemes like aging report phishing, RFQ scams, and fake order confirmations that are designed to confuse, distract, or elicit sensitive payment info.

The messages look legitimate because in many cases, they come from real vendor accounts that have been compromised. Even when they don’t, attackers use lookalike domains, AI-generated content, and hijacked email threads to blend in perfectly with routine workflows.

VEC works not because employees are careless—but because the attacks blend into business-as-usual. Vendor impersonation exploits trust, urgency, and routine.

Abnormal’s research shows the risk is systemic. Telecommunications, energy, and hospitality organizations had engagement rates above 70%, driven by complex vendor networks and high-pressure environments where speed often overrides scrutiny.

The threat intensifies across roles. Entry-level sales reps engaged with VEC 86% of the time, followed by project managers and account executives. These are roles built around responsiveness—when a vendor email references an invoice or order status, the instinct is to act, not question.

Geography adds yet another layer. In EMEA, employees were nearly twice as likely to engage with VEC than BEC, suggesting a blind spot in verifying external identities, especially in regions reliant on cross-border vendor relationships.

Perhaps most telling: 7.3% of VEC engagements came from repeat victims, and just 1.46% of attacks were reported. Once trust is breached, employees become even less likely to raise alarms, turning a single instance of vulnerability into an ongoing risk.

Traditional email security controls weren’t designed to detect what VEC delivers. These attacks originate from legitimate accounts or convincing lookalikes, contain no malicious payloads, and pass all authentication checks including SPF, DKIM, and DMARC.

Because threat intelligence and rule-based systems rely on known indicators—like suspicious links, domain reputation, or attachment behavior—they consistently miss social engineering threats that exploit trusted relationships rather than technical vulnerabilities.

That leaves detection to employees, who are now expected to spot subtle anomalies in what appear to be routine billing or vendor communications. It’s an unrealistic ask. Security awareness training has immense value, but it’s not a failsafe. And in the case of vendor email compromise, it’s often too little, too late.

Vendor-based attacks are unlikely to be stopped by inspecting content alone. VEC threats don’t carry payloads—they carry context. That’s why effective defense requires understanding the intent behind every message and the behavioral patterns that precede it. Abnormal does exactly that.

Unlike traditional tools that rely on static rules and known IOCs, Abnormal models the unique communication behavior of every vendor in your environment—down to message cadence, tone shifts, login patterns, and typical transaction flows. When something deviates, even subtly, Abnormal flags it in real time.

It can detect:

• A vendor suddenly emailing from an unfamiliar IP or device.

• A billing request with an atypical structure or urgency cue.

• An invoice that looks right, but contains a slightly altered detail.

This detection is enriched by a federated vendor intelligence database, giving you visibility into risks before they emerge in your environment, based on patterns seen across thousands of customers.

Because Abnormal integrates directly via API with Microsoft 365 and Google Workspace, it accesses deeper signals like inbox rule changes, authentication metadata, and behavioral relationships, enabling detection far beyond the reach of SEGs or training-based programs without interrupting the flow of business.

Read the full Vendor Email Compromise threat report for deeper data, real-world attack examples, and the behavioral trends behind vendor-based vulnerability.