Vendor email compromise shows why workflow-aware fraud controls matter

At a glance

What this is: This analysis shows that vendor email compromise is driven more by external impersonation and workflow abuse than by classic insider-style executive spoofing.

Why it matters: It matters because IAM, finance, and procurement teams need controls that match real vendor workflows, not just internal identity assumptions or generic phishing filters.

By the numbers:

• 61% of BEC attacks impersonate external third parties.
• Billing account update attacks have the highest vendor account compromise rate at 26.5%.
• 87.5% of VEC uses impersonation.

👉 Read Abnormal AI's analysis of vendor email compromise and BEC exposure

Context

Vendor email compromise is a form of business email compromise that targets the ordinary trust built into invoices, billing changes, quote requests, and payment workflows. The primary failure is not a lack of awareness about executive impersonation, but a mismatch between existing controls and the way external business relationships actually operate.

For identity and access teams, the lesson extends beyond email security. Business processes are acting like identity signals, and attackers are learning which workflows are easiest to imitate, which roles are easiest to pressure, and which approvals still rely on trust rather than verifiable context.

Key questions

Q: How should organisations verify vendor payment changes without creating too much friction?

A: Use a separate confirmation path for bank detail changes, payee updates, and payment redirects. The approval should not be satisfiable by the same email thread that requested the change. Out-of-band callbacks, authenticated portals, and dual approval by a known internal owner reduce the chance that a compromised vendor mailbox can redirect money.

Q: Why do vendor impersonation attacks work even when email security is in place?

A: Because the attacker is often matching a real business workflow, not trying to defeat mailbox security alone. If the request looks like an invoice, billing update, or quote inquiry, the recipient may treat it as normal business activity. Technical filtering helps, but workflow validation is what closes the gap.

Q: What do security teams get wrong about sales-facing fraud risk?

A: They often focus on phishing training for executives while missing that sales teams are optimized to respond quickly to unfamiliar external requests. That incentive structure makes RFQ fraud effective. The fix is to embed validation into intake, not just remind staff to be careful.

Q: Who should own controls for vendor email compromise?

A: Finance, procurement, sales, and identity security should share ownership, because the attack crosses process and control boundaries. Finance owns payment changes, sales owns lead intake, procurement owns supplier validation, and identity teams should provide the verification model and exception handling.

Technical breakdown

Why vendor impersonation works better than executive spoofing

Vendor email compromise succeeds because credibility is workflow-specific. A finance team expects invoices, a procurement team expects billing changes, and sales expects cold quote requests. Attackers exploit those expectations with spoofed domains, lookalike senders, or compromised vendor mailboxes. The security failure is not simply weak filtering, but that ordinary business communications are treated as low-risk unless they look like classic phishing. Once the message matches the workflow, the attacker no longer needs to defeat technical controls first; they need only align with the recipient's normal operating pattern.

Practical implication: verify messages against business context, not sender appearance alone.

Why billing account updates drive real account compromise

Billing account update fraud asks the target to change where future payments go, so the request itself carries higher scrutiny than a one-off fake invoice. That is why attackers often need a real compromised vendor account to make the request credible. In practice, the technique shifts from simple impersonation to authentic-looking correspondence that can survive procedural checks. This reveals a control gap in change handling: organisations often verify payment creation better than payment redirection. The highest-risk step is not payment approval, but account detail modification.

Practical implication: treat vendor banking changes as a separate high-risk identity event with stronger verification than invoice approval.

How role pressure turns RFQ handling into a fraud surface

RFQ fraud works because sales teams are rewarded for responsiveness to unfamiliar external inquiries. The attacker does not need an existing vendor relationship, only a plausible request for pricing or product information. That makes the role itself part of the attack surface. The underlying issue is not just email hygiene, but incentive-driven trust: the faster the team is expected to reply, the less time remains for validation. This pattern shows why workflow controls must reflect role behaviour, not just message content.

Practical implication: build validation steps into sales intake processes before quote details or contacts are shared.

Threat narrative

Attacker objective: The objective is to redirect money or extract sensitive business and payment information by exploiting trusted external communication channels.

1. Entry begins with an impersonated external third party, or with a compromised vendor mailbox when the request needs higher credibility to pass scrutiny.
2. Credential or account abuse occurs when attackers exploit trusted vendor identity to issue invoice, billing, RFQ, or payment requests that appear routine to the recipient.
3. Impact follows when employees redirect payments, disclose financial details, or continue a fraudulent relationship that expands the attacker’s reach into business workflows.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Vendor email compromise is a workflow identity problem, not just a phishing problem. The article shows that attackers succeed by matching the identity expectations embedded in billing, procurement, and sales processes. That means the real control gap is not only message inspection, but whether the business can prove that a request belongs in that workflow at that moment. Practitioners should treat external email as a business identity assertion that must be validated against context, not assumed because it looks routine.

Billing account update fraud exposes a standing trust assumption about vendor change requests. The process assumes an email claiming to alter payment details is authentic enough to drive action if it passes basic review. That assumption fails because attackers either impersonate a vendor or compromise the vendor's own account to make the change request look legitimate. The implication is that payment-routing governance is still too dependent on mail integrity and not enough on independent confirmation.

Vendor trust debt: repeated business interactions create an accumulation of assumed legitimacy that attackers can cash in. The more often a team sees invoices, quotes, and payment inquiries from external parties, the more likely it is to accept the next message as normal. This article shows that trust debt is uneven across roles, with sales, finance, and government procurement each carrying different exposure profiles. Practitioners should see that the problem is not generic email risk, but accumulated workflow trust.

Role-based exposure means fraud controls must be tuned to operational behaviour. Sales teams are vulnerable because responsiveness is rewarded, finance teams because payment change requests are routine, and government contexts because procurement friction makes trustworthy-looking requests more valuable. That pattern maps to OWASP-NHI and NIST CSF thinking: controls need to reflect process-critical identity actions, not just network or mailbox events. The practical conclusion is that one-size-fits-all anti-phishing programmes leave the highest-risk workflows underprotected.

From our research:

• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
• Forward pivot: The same trust fragmentation that weakens secrets governance also shows up in vendor email compromise, where business context replaces identity verification unless teams design stronger controls, as discussed in 52 NHI Breaches Analysis.

What this signals

Vendor compromise patterns are a reminder that identity governance now extends into business workflows, not just authentication systems. When a finance or sales process depends on trust in external communication, the control surface becomes both human and procedural. Practitioners should expect fraud attempts to keep shifting toward the easiest workflow to imitate, not the easiest mailbox to spoof.

Vendor trust debt: the longer an organisation relies on familiar external relationships without separate verification, the more likely a fraudulent request will look legitimate. That is especially relevant for teams building out zero-trust and identity-proofing programmes, because context must become a control input rather than a soft signal.

Security leaders should treat vendor change handling as a governance problem that sits between IAM, finance, and procurement. The practical signal is simple: if a fraudulent request can still move money or change payee details through ordinary email, the organisation has not separated communication from authorisation.

For practitioners

• Separate vendor change requests from routine invoice handling Require independent verification for bank-detail changes, payment redirects, and new payee setup. Do not let email approvals satisfy the control on their own; use an out-of-band callback or authenticated portal workflow.
• Tune controls by business role and workflow Apply stricter review paths for finance, procurement, and sales intake because each faces a different pretext mix. Map the highest-risk external request types to the teams that receive them most often.
• Block trust transfer from external identity to internal action Make sure a familiar sender, historical thread, or professional-looking invoice cannot by itself authorise a payment or data disclosure. Force a second signal before money moves or vendor data changes.
• Instrument vendor relationship validation Track whether the sender, domain age, request type, and historical vendor relationship align before the message reaches approvers. Feed those checks into finance and sales triage instead of relying on mailbox reputation alone.

Key takeaways

• Vendor email compromise succeeds because attackers mirror business workflows, not just internal identities.
• Billing changes and RFQ handling show that different pretexts require different controls, not a single anti-phishing playbook.
• Teams should separate message receipt from financial authorisation so external trust cannot directly trigger money movement.

Key terms

• Vendor Email Compromise: Vendor email compromise is a fraud pattern where attackers abuse or imitate external business relationships to trick employees into paying invoices, changing banking details, or sharing sensitive information. The core weakness is trust in routine business correspondence, not a technical flaw in email alone.
• Billing Account Update Fraud: Billing account update fraud is a pretext in which an attacker asks a target to change the bank account or routing details used for vendor payments. It often requires stronger credibility than a fake invoice because the request redirects future money movement, making it a high-risk authorisation event.
• RFQ Fraud: RFQ fraud is a social engineering pattern where an attacker poses as a prospective customer requesting a quote, pricing, or product details. It exploits teams that are incentivised to respond quickly to new inbound business, turning sales responsiveness into a control weakness.
• Workflow Identity Signal: A workflow identity signal is any business context that helps determine whether a request belongs in a given process, such as sender history, request type, vendor relationship, or expected timing. Security teams use these signals to decide whether an action should be trusted, delayed, or independently verified.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Key insights from the 2026 Attack Landscape Report on vendor email compromise. Read the original.