Notifications
Clear all
Topic starter
27/06/2026 1:11 pm
TL;DR: Up to 44% of vendor email compromise messages trigger a reply or forward, with engagement climbing higher in the largest enterprises, according to Abnormal AI, underscoring how routine-looking social engineering still bypasses human judgment and reporting discipline. The practical issue is not awareness alone but whether identity, process, and detection controls can interrupt action before trust turns into exposure.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Up to 44% of VEC messages trigger a reply or forward.
Questions worth separating out
A: Use layered controls that verify requests outside the inbox, especially for payments, bank changes, and access-related actions.
Q: Why are vendor email compromise attacks so effective in large enterprises?
A: Large enterprises create more complex trust relationships, more frequent vendor contact, and more distributed approval paths.
Practitioner guidance
- Add out-of-band verification for money-moving requests Require a second channel confirmation before approving bank detail changes, urgent transfers, or invoice exceptions, and make the approver use a verified contact path rather than the reply thread.
- Treat vendor contact changes as identity events Route any supplier bank, email, or payment-change request through a controlled verification workflow that validates the requester against an independently maintained vendor record.
- Correlate inbox signals with human behaviour Combine sender reputation, message intent, recipient role, and actions such as reply or forward so suspicious messages can be stopped before they become a business process step.
What to expect at the briefing
Abnormal AI's full on-demand webinar covers the operational detail this post intentionally leaves for the source:
- Industry and role breakdowns showing where BEC and VEC engagement is highest.
- Practical examples of vendor verification and behaviour-based detection in live workflows.
- Attacker tactic evolution over time, including how messages are adapted to bypass user suspicion.
- ISC2 CPE eligibility details for teams that need continuing-education credit.
👉 Watch Abnormal AI's on-demand webinar on BEC and VEC engagement risk →
BEC and VEC engagement rates: what IAM teams need to know?
Explore further
27/06/2026 2:26 pm
Human trust is the primary control surface in BEC and VEC, not the mailbox alone. These attacks succeed when recipients are able to take low-friction action without a second verification step. That means identity programmes must treat reply, forward, and approval behaviour as security-relevant events, not just communications activity. The practitioner conclusion is straightforward: if a message can drive action, it can drive compromise.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to the same research.
A question worth separating out:
Q: Who is accountable when a phishing or vendor impersonation email causes fraud?
A: Accountability is shared across security, finance, procurement, and process owners because the failure usually sits in the workflow design, not one isolated user decision. Frameworks such as NIST CSF are useful here because they push teams to map protective controls to business processes, not just endpoints.
👉 Read our full editorial: Human trust still powers BEC and VEC engagement at scale
