Vendor email compromise exposes reporting gaps across regions

At a glance

What this is: This is a regional analysis of vendor email compromise and business email compromise behaviour, showing that employees often engage with vendor impersonation and rarely report suspicious messages.

Why it matters: It matters because IAM and security teams rely on human reporting, vendor trust, and workflow controls that can fail when external identities are abused as a social-engineering cover.

By the numbers:

• EMEA employees report VEC attacks at only 0.27%, the lowest of any region, yet their post-read VEC interaction rate exceeds BEC by 90%.
• North American employees repeat-engage with VEC at 7.42% vs. 2.69% for BEC, signaling weak vendor verification and awareness training gaps.
• Only 1.46% of read advanced email attacks are reported, leaving mid-market firms with up to 1,680 unreported attacks monthly.

👉 Read Abnormal AI's analysis of vendor email compromise engagement and reporting gaps

Context

Vendor email compromise is a social-engineering pattern that abuses a trusted external identity to make malicious requests look routine. In this case, the governance problem is not just message filtering, but how often employees treat vendor-originated requests as operationally normal even when they are suspicious.

Across 1,400+ organisations, the article shows that engagement, repeat engagement, and reporting vary by region, but the reporting gap persists everywhere. That makes vendor identity verification, employee response paths, and reporting culture part of the same control surface for IAM, security awareness, and fraud defence.

Key questions

Q: How should security teams reduce vendor email compromise in routine business workflows?

A: They should add verification steps before action, not after the message is received. That means dual confirmation for payment or account changes, role-specific handling for finance and procurement, and clear instructions that vendor familiarity never replaces identity verification. The goal is to make unsafe actions harder than safe escalation.

Q: Why do employees keep engaging with vendor impersonation attacks?

A: Employees often trust the request because it fits a real workflow and arrives from a familiar business context. In some regions, authority cues and partner expectations make the message feel legitimate, while fear of false alarms discourages challenge. The result is repeated interaction, not just a one-time mistake.

Q: How do security teams know whether reporting controls are actually working?

A: They should track how many suspicious messages are reported, how quickly they reach triage, and whether reports produce containment actions such as mailbox hunting or alert suppression. A low report rate, especially on read messages, means the organisation lacks operational visibility into active social-engineering campaigns.

Q: What is the difference between BEC and VEC for governance teams?

A: BEC abuses an internal identity such as a colleague or executive, while VEC abuses a trusted external party such as a supplier or service provider. Governance teams must verify both, but VEC often slips through because operational staff are conditioned to treat vendors as routine business partners rather than as identity risks.

Technical breakdown

Why vendor impersonation works in routine workflows

Vendor email compromise succeeds because the attacker does not need to invent a new relationship, only to exploit an existing one. The message arrives inside a live operational context such as invoicing, account updates, or payment coordination, where employees are already primed to trust third-party requests. That trust is the real attack surface. Once the impersonation looks plausible, post-read engagement can continue even when the first signal should have been a pause. The control failure is not simply email authentication. It is the absence of workflow-level verification for external identities that already have business legitimacy.

Practical implication: strengthen approval paths for vendor-triggered actions so trust in the sender never substitutes for verification.

Why repeat engagement is a governance signal, not just a user mistake

Repeat engagement shows that the initial deception was not recognised as an attack. That matters because a user who replies once is likely to continue the interaction, creating a deeper opportunity for invoice diversion, credential capture, or fraudulent payment instruction. In identity terms, the issue is behavioural persistence after the first malicious contact. If the organisation treats each message as a standalone event, it misses the pattern. Repeated interaction is a signal that vendor identity controls, training, and escalation guidance are not aligned with how employees actually work.

Practical implication: treat repeat interaction as a measurable control weakness and route it into targeted awareness and case review.

Why under-reporting turns email fraud into a scaling problem

Reporting rates matter because detection is only useful when it reaches the security team in time to act. When only 1.46% of read attacks are reported, the organisation loses visibility into attack volume, recipient targeting, and campaign reuse. That creates a blind spot that allows the same fraudulent identity pattern to be reused across departments and regions. The bystander effect, false-alarm fear, and no-harm-no-foul thinking are behavioural explanations, but the operational consequence is the same: the SOC never sees enough of the attack surface to suppress it effectively.

Practical implication: design reporting as a low-friction operational control, not a voluntary courtesy, and measure whether it actually reaches triage.

Threat narrative

Attacker objective: The attacker wants to convert trusted vendor identity into operational trust, then use that trust to drive fraudulent payment, credential, or account-update actions.

1. Entry occurs when the attacker impersonates a familiar vendor or business partner and delivers a message that fits an existing workflow.
2. Escalation occurs when the recipient replies, repeats the interaction, or continues the exchange without independent vendor verification.
3. Impact occurs when the organisation loses visibility because the message is deleted or never reported, allowing the same fraud pattern to continue against other employees.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Vendor impersonation is a governance problem, not just a phishing problem. The article shows that employees do not respond to all trusted identities the same way, which means vendor-originated requests sit inside a weaker verification regime than internal identity traffic. That is not a mail-filtering issue alone. It is a failure to treat external business identity as an access path that requires the same scrutiny as any other privileged workflow.

The reporting deficit is the real control failure. When read attacks are reported at 1.46%, the security team is working with a tiny and distorted slice of the attack surface. The bystander effect and fear of false alarms matter, but the deeper issue is that organisations have not made reporting a reliable security control. Practitioners should see this as an observability gap across human identity behaviour, not a communications problem.

Regional behaviour proves that security awareness cannot be one-size-fits-all. EMEA, APAC, and North America show different patterns of repeat engagement and reporting, which means training must reflect local workflow norms, authority dynamics, and vendor interaction habits. A generic awareness programme misses the specific ways trust is granted and repeated in each operating region. The implication is that security teams need region-aware reporting and verification controls, not a single global script.

External identity trust is becoming its own attack surface. The article's data shows that vendor identities are often more persuasive than internal ones, especially when the request arrives in a routine business process. That creates what can be called a vendor trust gap: the organisation assumes external legitimacy is self-evident when in practice it must be revalidated every time. Practitioners should treat that gap as a field-level blind spot in human identity governance.

Workflow proximity is now part of social-engineering success. The attacks work because they arrive close to the point of action, not because the message is technically sophisticated. That means identity-aware controls have to extend into procurement, finance, and support workflows where vendor requests are normalised. Security teams should assume the next successful attack will look operationally familiar rather than obviously malicious.

From our research:

• Only 1.46% of read advanced email attacks are reported, leaving mid-market firms with up to 1,680 unreported attacks monthly, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• With AWS credentials exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to the same research.
• For broader context on how compromised identity and access patterns turn into breach exposure, see 52 NHI Breaches Analysis.

What this signals

Vendor trust is becoming a measurable security control, not a soft-skill issue. If employees can be manipulated by familiar third parties more easily than by internal impersonation, then the workflow itself is part of the attack surface. Teams should revisit payment, support, and supplier-change approvals with explicit identity verification steps, especially where cross-border operations normalise external requests.

Reporting culture needs to be engineered into the control stack. The bystander effect and false-alarm anxiety only matter because reporting is too easy to ignore. A programme that depends on voluntary vigilance will underperform unless it is tied to low-friction tooling, clear ownership, and fast triage paths.

Regional risk profiles should drive different controls, not just different awareness slides. Where partner trust is especially strong, teams should tighten vendor verification. Where repeat engagement is high, target behavioural coaching and fraud simulation. For a wider identity lens, the Ultimate Guide to NHIs , Key Challenges and Risks is useful context for how trust and access failures compound.

For practitioners

• Segment vendor-facing workflows by risk Map which teams regularly receive external requests for payment, account changes, document exchange, or access updates, then add verification steps before those requests can be actioned. Use separate handling for high-trust functions such as finance and procurement.
• Make reporting the default response path Embed one-click reporting and clear escalation prompts in mail clients so employees can flag suspicious vendor messages without hesitation. Measure whether reports reach triage, not just whether users click the button.
• Train for vendor impersonation, not generic phishing Use examples that reflect real supplier, invoice, and account-update workflows in each region, then test whether employees can distinguish legitimate partner messages from lookalikes. Localise content where authority dynamics and business practices differ.
• Review repeat-engagement cases as a separate risk class Treat employees who reply more than once to a suspicious vendor message as a signal for coaching, extra review, or targeted monitoring. Repeated engagement often indicates the first warning was not recognised as a security event.

Key takeaways

• Vendor impersonation is effective because it blends into ordinary business processes, not because it is technically advanced.
• The reporting gap is the most concerning signal in the dataset, since low user escalation leaves security teams blind to campaign reuse and spread.
• Organisations need region-aware verification and reporting controls if they want to reduce repeat engagement and limit fraud escalation.

Key terms

• Vendor Email Compromise: Vendor email compromise is a social-engineering attack in which an adversary impersonates a trusted supplier, partner, or service provider to influence business decisions. It works because the message fits an expected operational relationship, making verification failures more likely than in obvious spam or malware campaigns.
• Post-read interaction rate: Post-read interaction rate measures how often recipients continue to engage with a suspicious email after opening it. It is a useful behavioural signal because it shows the message was not only seen but also trusted enough to trigger further action, reply, or repeated engagement.
• Reporting deficit: A reporting deficit is the gap between the number of suspicious messages seen by employees and the much smaller number escalated to security teams. It creates blind spots in detection, slows containment, and allows the same fraud pattern to spread across people, regions, and workflows.
• Vendor trust gap: A vendor trust gap is the space between assuming an external partner is legitimate and actually verifying that the request is safe. In practice, it appears when business familiarity becomes a substitute for identity validation, especially in finance, procurement, and account-change workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Key insights on vendor email compromise engagement and reporting gaps. Read the original.