Agency email fraud and vendor compromise: what defenders are missing

TL;DR: Government agencies face a 40.8% billing update fraud rate in vendor email compromise, as Abnormal AI’s analysis of nearly 800,000 attacks across 4,600+ organizations shows. IT staff and executives are hit with impersonation lures tailored to their daily workflows, and the lesson is that email defense now has to model organisational context and role-specific behaviour, not just block bad domains.

NHIMG editorial — based on content published by Abnormal AI: 2026 Attack Landscape Report findings on federal email fraud

By the numbers:

• 20.2% versus an 8.95% average., compromise real vendor accounts first, with government VEC account compromise at 20.2% versus an 8.95% average.
• VIP impersonation accounts for 41% of BEC reaching executives, five times the 8.4% sample average.
• 66.6% of BEC attempts, internal impersonation in 66.6% of BEC attempts, well above the 36.7% sample average.

Questions worth separating out

Q: How should agencies handle vendor payment changes that arrive by email?

A: Treat every vendor banking change as a high-risk identity event, not a routine administrative request.

Q: Why do executive impersonation scams work so well in large organisations?

A: They succeed because recipients often lack direct, frequent contact with leadership and have to infer legitimacy from the message itself.

Q: What breaks when helpdesk-style impersonation targets IT staff?

A: The attack works when support workflows are so routine that a fake reset or enrolment request looks operational.

Practitioner guidance

• Separate payment-change approvals from email instructions Require a second, independent channel for vendor banking updates, especially where grant payments, procurement, or reimbursement workflows are involved.
• Harden executive request verification Create a specific verification path for instructions that claim to come from senior leaders, political offices, or other high-authority roles.
• Add workflow-specific detection rules Tune monitoring for credential-reset prompts, MFA re-enrolment messages, access provisioning requests, and document-sharing lures so they are judged against the recipient’s role and normal transaction patterns.

What's in the full report

Abnormal AI’s full report covers the operational detail this post intentionally leaves for the source:

• Attack-by-attack breakdowns of phishing, BEC, vendor compromise, and impersonation across the July to December 2025 observation window
• Role-level examples showing which business functions were most exposed to each lure type and why
• The underlying reporting methodology behind nearly 800,000 attacks spanning 4,600+ organisations
• The full federal case examples, including the HHS payment diversion and NASA impersonation patterns

👉 Read Abnormal AI’s 2026 Attack Landscape Report on federal email fraud →

Agency email fraud and vendor compromise: what defenders are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →