TL;DR: Up to 44% of vendor email compromise messages trigger a reply or forward, with engagement climbing higher in the largest enterprises, according to Abnormal AI, underscoring how routine-looking social engineering still bypasses human judgment and reporting discipline. The practical issue is not awareness alone but whether identity, process, and detection controls can interrupt action before trust turns into exposure.
At a glance
What this is: This on-demand webinar argues that BEC and VEC remain effective because routine-looking messages still trigger human action, with reported engagement as high as 44%.
Why it matters: It matters to IAM practitioners because human trust failures, vendor verification gaps, and weak contextual controls can create downstream access and fraud risk even when technical defenses are in place.
By the numbers:
- Up to 44% of VEC messages trigger a reply or forward.
👉 Watch Abnormal AI's on-demand webinar on BEC and VEC engagement risk
Context
Business email compromise and vendor email compromise succeed because they imitate legitimate business communications closely enough to trigger action before the recipient verifies the request. In identity terms, the failure is not authentication at the inbox boundary alone, but the combination of human trust, vendor dependency, and weak verification steps at the moment a request looks familiar.
For IAM and security teams, this is a human identity governance problem as much as a fraud problem. If users can be induced to reply, forward, approve, or route a request without a second control, attackers can turn ordinary communication paths into business process abuse, regardless of how strong the underlying sign-in controls are.
Key questions
A: Use layered controls that verify requests outside the inbox, especially for payments, bank changes, and access-related actions. Combine behaviour-based detection, vendor verification, and approval workflows that require independent confirmation before a request becomes an authorised business step. Awareness helps, but process control is what limits damage.
Q: Why are vendor email compromise attacks so effective in large enterprises?
A: Large enterprises create more complex trust relationships, more frequent vendor contact, and more distributed approval paths. That gives attackers more chances to make a forged request look normal and to find someone who recognises the vendor name but not the exact pattern. Complexity increases the odds of a human shortcut.
Q: What breaks when email requests can trigger business action directly?
A: The control failure is that the inbox becomes an approval mechanism instead of a communications channel. Once replies, forwards, and exception handling can move money or data without independent verification, attackers only need a plausible request, not a technical breach. The safer model is to separate message receipt from authorisation.
Q: Who is accountable when a phishing or vendor impersonation email causes fraud?
A: Accountability is shared across security, finance, procurement, and process owners because the failure usually sits in the workflow design, not one isolated user decision. Frameworks such as NIST CSF are useful here because they push teams to map protective controls to business processes, not just endpoints.
Background and context
Why BEC and VEC bypass normal user judgment
Business email compromise and vendor email compromise work because they exploit routine decision-making, not technical compromise first. The message usually arrives through an ordinary channel, uses plausible language, and asks for a low-friction action such as replying, forwarding, or approving a payment-related change. The attacker does not need to break the inbox to succeed if the target treats the email as a normal business event. That makes these campaigns a governance problem across user awareness, vendor trust validation, and downstream approval workflows.
Practical implication: require a second verification step for payment, banking, and access-change requests before any human action is treated as authorised.
Why engagement remains high in vendor-heavy organisations
Vendor-heavy environments create more opportunities for legitimate-looking context to be reused in a scam. Shared terminology, frequent invoice exchanges, and ongoing supplier communication make it harder for users to distinguish routine activity from impersonation. The larger the organisation, the more likely the message can find someone who recognises the vendor name but not the exact request pattern. In practice, this is why social engineering often scales better in organisations with complex third-party relationships and distributed approval paths.
Practical implication: maintain verified contact paths and use out-of-band confirmation for any vendor-initiated change that affects money, credentials, or access.
How behaviour-based detection changes the control model
Behaviour-based detection looks for deviation from normal communication and action patterns rather than relying only on signatures, domain checks, or content filters. That matters because BEC and VEC are designed to look authentic enough to evade static controls. Detection becomes stronger when it correlates sender reputation, message intent, recipient role, and post-delivery behaviour such as forwarding, replying, or initiating unusual workflow steps. The control objective is to stop suspicious business action before the inbox becomes a launch point for fraud or access abuse.
Practical implication: pair inbox filtering with behavioural analytics that can block risky reply, forward, and payment workflows in real time.
NHI Mgmt Group analysis
Human trust is the primary control surface in BEC and VEC, not the mailbox alone. These attacks succeed when recipients are able to take low-friction action without a second verification step. That means identity programmes must treat reply, forward, and approval behaviour as security-relevant events, not just communications activity. The practitioner conclusion is straightforward: if a message can drive action, it can drive compromise.
Vendor verification is an identity governance control, not an admin convenience. The real failure mode is not that a message arrived, but that the requester could not be reliably distinguished from the legitimate vendor relationship in time. High-pressure roles and vendor-heavy industries are especially exposed because trust is already part of the operating model. The practitioner conclusion is that supplier identity checks need to be built into process, not left to user memory.
Behavior-based intervention is the named concept that best fits this threat pattern. Static email controls are built for known bad indicators, while BEC and VEC exploit plausible language and legitimate business context. Behaviour-based intervention shifts the defence from message inspection alone to the detection of risky human action at the point of decision. The practitioner conclusion is that stopping the workflow matters more than classifying the email after the fact.
Business process abuse is the governance problem behind many email scams. These attacks work because finance, procurement, and support processes often trust an inbox request as a valid trigger. That assumption was designed for human-paced operations with informal verification, and it fails when the request path is forged. The practitioner conclusion is that controls must protect the process, not only the message.
The security gap spans human IAM, fraud prevention, and third-party trust. BEC and VEC sit exactly where identity, supplier management, and operational workflow meet, which is why siloed ownership repeatedly misses them. Security teams that treat this as only an awareness issue will understate the control problem. The practitioner conclusion is that cross-functional ownership is required for durable reduction in exposure.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to the same research.
- For the broader identity picture, see Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that often underpin trust abuse and credential misuse.
What this signals
Behavior-based intervention: BEC and VEC are a reminder that identity programmes cannot stop at authentication and inbox filtering. The next maturity step is to tie communication trust to verified process controls, especially where finance, procurement, and executive support can trigger real business action from a message alone.
At a programme level, the organisational risk is not just phishing volume but response latency. The shorter the gap between message receipt and human action, the more often a forged request can outrun manual review, which is why policy, workflow, and detection need to operate as one control surface.
This is also where third-party trust becomes a governance issue. If suppliers, payment details, or approval chains change faster than the organisation can verify them, then social engineering becomes a business process exploit rather than a mailbox problem.
For practitioners
- Add out-of-band verification for money-moving requests Require a second channel confirmation before approving bank detail changes, urgent transfers, or invoice exceptions, and make the approver use a verified contact path rather than the reply thread.
- Treat vendor contact changes as identity events Route any supplier bank, email, or payment-change request through a controlled verification workflow that validates the requester against an independently maintained vendor record.
- Correlate inbox signals with human behaviour Combine sender reputation, message intent, recipient role, and actions such as reply or forward so suspicious messages can be stopped before they become a business process step.
- Train high-risk roles with context, not slogans Use role-specific scenarios for finance, procurement, executive support, and account teams so users practise recognising vendor impersonation in the workflows they actually touch.
Key takeaways
- BEC and VEC succeed because they manipulate human trust at the point of action, not because they always defeat technical email controls.
- Reported engagement of up to 44% shows that routine-looking messages still generate meaningful response rates in real organisations.
- The best reduction comes from verified workflows, behaviour-based detection, and out-of-band approval steps that separate receipt from authorisation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity verification and access governance are directly relevant to trust-based email abuse. |
| NIST SP 800-63 | Phishing-resistant identity assurance supports secure verification paths for high-risk requests. | |
| OWASP Non-Human Identity Top 10 | NHI-07 | Secret and credential misuse often follows social engineering that gains access through human trust. |
Map vendor approval and verification workflows to PR.AC-1 so no request becomes action without validation.
Key terms
- Business Email Compromise: Business email compromise is a fraud technique that uses deceptive email to induce a person to transfer money, disclose information, or approve an action. The attack succeeds through trusted communication and process abuse rather than obvious malware, which makes workflow verification a primary control.
- Vendor Email Compromise: Vendor email compromise is a form of impersonation that targets supplier, contractor, or partner relationships. Attackers exploit routine vendor communication patterns to request payment changes, invoice redirection, or other sensitive actions, so identity and process verification must extend beyond internal users.
- Behaviour-Based Detection: Behaviour-based detection identifies suspicious activity by comparing message and user actions against normal patterns. In email abuse scenarios, it can flag unusual reply, forward, or approval behaviour even when the message itself looks plausible, making it more resilient than static indicators alone.
- Business Process Abuse: Business process abuse occurs when an attacker manipulates an organisation's normal operating workflow into performing an unauthorised action. It is often the hidden mechanism behind email scams because the attack targets decision points, not just endpoints or inboxes.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: LLMjacking or VEC-themed threat report and on-demand webinar on business email compromise and vendor email compromise. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
