Vendor email compromise and reporting gaps: what teams need to know

TL;DR: Vendor email compromise can drive stronger repeat engagement than business email compromise in some regions, according to Abnormal AI's research across 1,400+ organisations, while only 1.46% of read advanced email attacks are reported, leaving mid-market firms with up to 1,680 unreported attacks monthly. The practical issue is not just user susceptibility but the governance gap between detection, reporting, and response.

NHIMG editorial — based on content published by Abnormal AI: Key insights on vendor email compromise engagement and reporting gaps

By the numbers:

• North American employees repeat-engage with VEC at 7.42% vs. 2.69% for BEC, signaling weak vendor verification and awareness training gaps.

Questions worth separating out

Q: How should security teams reduce vendor email compromise in routine business workflows?

A: They should add verification steps before action, not after the message is received.

Q: Why do employees keep engaging with vendor impersonation attacks?

A: Employees often trust the request because it fits a real workflow and arrives from a familiar business context.

Q: How do security teams know whether reporting controls are actually working?

A: They should track how many suspicious messages are reported, how quickly they reach triage, and whether reports produce containment actions such as mailbox hunting or alert suppression.

Practitioner guidance

• Segment vendor-facing workflows by risk Map which teams regularly receive external requests for payment, account changes, document exchange, or access updates, then add verification steps before those requests can be actioned.
• Make reporting the default response path Embed one-click reporting and clear escalation prompts in mail clients so employees can flag suspicious vendor messages without hesitation.
• Train for vendor impersonation, not generic phishing Use examples that reflect real supplier, invoice, and account-update workflows in each region, then test whether employees can distinguish legitimate partner messages from lookalikes.

What's in the full report

Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:

• Regional breakdowns of VEC and BEC engagement rates across North America, EMEA, and APAC.
• Detailed discussion of the behavioural barriers behind non-reporting, including bystander effect and fear of false alarms.
• The underlying methodology behind the 1,400+ organisation sample and how the team interpreted post-read interactions.
• Additional examples of how vendor impersonation blends into routine business workflows.

👉 Read Abnormal AI's analysis of vendor email compromise engagement and reporting gaps →

Vendor email compromise and reporting gaps: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →