Vendor email compromise is reshaping BEC and finance workflows

At a glance

What this is: Abnormal AI’s 2026 Attack Landscape Report shows attackers shifting from technical exploits to social and workflow manipulation, with vendor email compromise now dominating business email compromise.

Why it matters: IAM, NHI, and finance control owners need to treat trusted relationships, delegated communication paths, and approval workflows as identity attack surfaces, not just email security concerns.

By the numbers:

• Vendor email compromise now accounts for 61% of all business email compromise attacks.
• Billing account update requests carry a 26.5% compromise rate.
• 21.6%, than one in five phishing attacks, 21.6%, now use redirect chains.

👉 Read Abnormal AI's 2026 Attack Landscape Report on vendor email compromise and BEC

Context

Vendor email compromise is the use of impersonated or hijacked supplier relationships to steer payment, account, or workflow decisions. In identity terms, it turns trusted business communication into a control bypass, because the attacker does not need to break authentication if the process already grants the message credibility.

The report shows why conventional email filtering and perimeter controls are not enough on their own. When attackers can exploit billing changes, approval habits, and vendor familiarity, IAM teams need to think about who is authorised to request change, who can validate it, and which workflow steps create the most leverage.

Key questions

Q: How should organisations prevent vendor email compromise from bypassing normal approval workflows?

A: Organisations should treat vendor requests that change payment, account, or billing details as high-risk identity events. Require out-of-band verification, split request and approval duties, and validate the request against a trusted supplier record before action. Email thread continuity is not proof of legitimacy when attackers can hijack or mimic trusted relationships.

Q: Why do billing account update requests create a higher fraud risk than routine invoices?

A: Billing updates can redirect future payments, so one successful request can create durable financial impact. Routine invoices usually trigger a single transaction, but billing changes modify the underlying payment relationship. That makes billing updates a stronger target for attackers and a higher-priority control point for finance and IAM teams.

Q: What should security teams monitor to detect trust-based email attacks earlier?

A: Security teams should monitor for unusual vendor relationship changes, internal impersonation patterns, and requests that pressure finance to act outside normal review paths. The strongest signal is not just malicious content, but a request that uses a familiar relationship to demand a privileged workflow change.

Q: Who should own controls for vendor-related business email compromise?

A: Ownership should sit across IAM, finance operations, and security because the attack exploits both identity trust and payment workflow authority. IAM defines who can request and approve changes, finance owns the payment controls, and security detects impersonation and account compromise. Shared accountability is essential because this is not only an email problem.

Technical breakdown

Why vendor impersonation outperforms generic phishing

Vendor impersonation works because it borrows existing trust relationships rather than trying to create new ones. A request from a known supplier, a familiar invoice thread, or a billing update looks operationally normal, which lowers the chance of challenge. This is different from bulk phishing, where the attacker depends on volume and weak scrutiny. In practice, the attack success rate rises when the message fits a real business process and arrives at a moment when finance or operations expects routine change. Practical implication: treat supplier communication channels as high-risk identity paths and require secondary verification for any payment or account change.

Practical implication: treat supplier communication channels as high-risk identity paths and require secondary verification for any payment or account change.

Why billing updates create a higher compromise window than invoices

Billing account update requests are especially effective because they alter the destination of an ongoing payment relationship. Unlike a routine invoice, which can be filed or ignored, a billing change forces a workflow decision that may affect future transactions, routing, or reconciliation. That makes the request harder to dismiss and more likely to be processed under time pressure. Attackers exploit that operational asymmetry by choosing tasks where a small communications success yields durable financial control. Practical implication: isolate billing-change approvals from normal invoice handling and require out-of-band validation against a trusted supplier record.

Practical implication: isolate billing-change approvals from normal invoice handling and require out-of-band validation against a trusted supplier record.

How lateral trust spread becomes an identity problem

The report’s lateral attack patterns show that trust can move inside an organisation as easily as it moves between organisations. Once an internal account is compromised, attackers can impersonate colleagues, exploit approval habits, and exploit shared context to continue the conversation. That makes account compromise only the first step; the real issue is the absence of process boundaries that stop one trusted identity from becoming a launch point for another. Practical implication: segment approval authority, monitor internal impersonation indicators, and reduce the number of people who can authorise high-risk workflow changes.

Practical implication: segment approval authority, monitor internal impersonation indicators, and reduce the number of people who can authorise high-risk workflow changes.

Threat narrative

Attacker objective: The attacker aims to convert trusted communication into authorised financial action without needing to defeat technical controls directly.

1. Entry occurs through vendor impersonation, compromised internal accounts, or a highly credible billing-change message that fits a real business workflow.
2. Escalation happens when the attacker gains enough process trust to redirect payment instructions, bypass routine scrutiny, or continue the conversation from a legitimate-looking thread.
3. Impact is financial diversion, payment rerouting, and broader erosion of confidence in email-based approval chains.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Vendor email compromise is now an identity governance problem, not just an email security problem. The report’s 61% figure shows that attackers increasingly win by abusing trusted business relationships rather than breaking authentication. That shifts the control question from message filtering to authorisation of requesters, approvers, and workflow exceptions. Practitioners should treat supplier-facing approval paths as governed identity channels, not informal communication.

Billing account update requests reveal a governance gap in process validation. A billing change is more dangerous than a routine invoice because it can redirect ongoing value, not just approve a one-time payment. That means the real failure is not a missing alert but a workflow that allows a single trusted message to reshape future disbursement. Practitioners need to recognise billing changes as standing-access events in disguise.

Higher education and large-enterprise patterns show that trust structures shape attack design. Open, high-turnover environments and layered approval environments create different opportunities, but both can be exploited when identity context is weakly enforced. The named concept here is workflow trust debt: the accumulated reliance on familiar processes, shared context, and informal validation that attackers can convert into access. Practitioners should map where process familiarity is being mistaken for proof.

Attackers are selecting the shortest path to durable business impact. When a request can alter payment routing, impersonate authority, or exploit an internal account, the attacker does not need a technical exploit chain at all. This is a governance failure in how organisations define trust, not in how they inspect messages. Practitioners should re-evaluate where business process legitimacy is being allowed to stand in for identity assurance.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• The same research says only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is a useful benchmark for programme maturity.
• For a broader NHI risk baseline, see 52 NHI Breaches Analysis for recurring failure patterns and governance lessons.

What this signals

Workflow trust debt: organisations should now assume that familiar processes can be weaponised faster than technical controls can flag them. When attacker success depends on social credibility, the control stack has to move closer to the decision point, not just the inbox.

The operational lesson is that finance, procurement, and IAM can no longer be separate conversations. Request legitimacy, approval authority, and payment execution need shared controls because the attack path crosses all three domains.

If your programme still measures email risk mainly by malicious link detection, you are measuring the wrong boundary. The better indicator is whether a trusted request can alter money movement without an independent verification step.

For practitioners

• Reclassify billing changes as identity-controlled events Require independent validation for any request that changes payee details, bank routing, or payment authority. Separate invoice review from billing master-data changes so the same person cannot both request and approve a change.
• Tighten supplier communication verification Use a verified callback process for vendor requests, with known contact records and a second channel for confirmation before action. Do not rely on thread history alone, because attackers can inherit or mimic legitimate conversation context.
• Reduce internal impersonation leverage Limit who can authorise urgent financial exceptions and monitor for unusual internal request patterns that mimic colleague language or timing. High-risk approvals should require explicit reason codes and traceable approval ownership.
• Map workflow trust boundaries Identify where routine business processes grant implicit trust to an identity, a message, or a shared thread. Then define the exact step where extra verification must occur before funds, credentials, or account details change.
• Cross-check vendor change requests against master records Tie payment or billing changes to a controlled supplier record and require review by a different function than the one processing the request. This prevents a single compromised conversation from becoming a durable financial reroute.

Key takeaways

• Vendor email compromise succeeds because attackers exploit trusted business relationships and workflow habits, not just email content.
• Billing account update requests are especially dangerous because they can redirect ongoing financial relationships, which raises the impact of a single successful impersonation.
• The practical control answer is stronger request verification, clearer approval separation, and tighter ownership of workflow trust boundaries.

Key terms

• Vendor Email Compromise: Vendor email compromise is a social engineering pattern where attackers impersonate or hijack a supplier relationship to influence payment, account, or workflow decisions. It succeeds by exploiting business trust, not by breaking authentication first.
• Billing Account Update Request: A billing account update request is a change to the payment destination, account details, or financial routing associated with an ongoing supplier relationship. It is high risk because a successful change can alter future payments, making it more powerful than a single invoice scam.
• Workflow Trust Debt: Workflow trust debt is the accumulated risk created when organisations rely on familiar processes, shared context, and informal validation instead of explicit identity checks. It grows whenever a routine business step is allowed to stand in for proof of legitimacy.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Abnormal AI 2026 Attack Landscape Report on threat actors targeting human behavior and trusted relationships. Read the original.