Notifications
Clear all
Topic starter
27/06/2026 2:04 pm
TL;DR: Vendor email compromise drove 44% employee engagement overall and 72% in enterprises with more than 50,000 staff, while only 1.46% of attacks were reported and 7.3% of engagements came from repeat victims, according to Abnormal AI’s VEC threat report. Legacy email security misses the trust layer, which is now the real control boundary.
NHIMG editorial — based on content published by Abnormal AI: Vendor Email Compromise threat report
By the numbers:
- 44% of employees engage with VEC attacks overall, rising to 72% at enterprises with 50,000+ staff.
- Only 1.46% of VEC attacks are reported, and 7.3% of engagements come from repeat victims.
- Telecom, energy, and hospitality sectors exceed 70% VEC engagement rates due to complex vendor networks.
Questions worth separating out
Q: What breaks when vendor email compromise is treated as ordinary phishing?
A: Traditional phishing controls focus on malicious links, attachments, and obvious spoofing, but vendor email compromise often uses trusted accounts, real conversation patterns, and business context.
Q: Why do vendor relationships increase the risk of payment fraud and data exposure?
A: Vendor relationships create standing trust across finance, operations, and procurement, so employees are conditioned to respond quickly.
Q: How can security teams measure whether VEC controls are actually working?
A: Look for fewer successful interactions with suspicious vendor requests, lower repeat engagement by the same users, and faster escalation from employees who are unsure about a message.
Practitioner guidance
- Add trust checks to vendor-facing workflows Require a second verification step for invoice changes, payment detail updates, and high-risk vendor requests before any action is taken.
- Use behavioural signals for vendor communications Correlate sender history, cadence changes, device patterns, and authentication metadata so that a legitimate-looking email can still be flagged when the relationship deviates.
- Target high-response roles with process controls Prioritise finance, sales, account management, and project coordination teams for tighter approval gates because these groups are most likely to act quickly on vendor messages.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- The full survey methodology behind the 1,400-organisation dataset and how engagement was measured.
- Sector and role breakdowns that show where vendor email compromise is most likely to succeed.
- Examples of invoice fraud, billing update scams, and payment fraud patterns drawn from real campaigns.
- The vendor-behaviour detection logic used to flag cadence changes, login anomalies, and transaction deviations.
👉 Read Abnormal AI's report on vendor email compromise and trust abuse →
Vendor email compromise: are your email controls keeping up?
Explore further
27/06/2026 3:40 pm
Vendor email compromise is a trust problem disguised as an email problem. The report shows that authenticated mail can still be malicious when the business relationship is the real target. That means the control boundary is not the message header, but the trust assumption behind the workflow. Practitioners should treat vendor identity as a governed relationship, not a sender string.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to the same survey.
A question worth separating out:
Q: Who should own vendor trust governance when email, finance, and IAM intersect?
A: Accountability should sit across security, finance, procurement, and IAM, with clear ownership for vendor verification, payment changes, and escalation handling. If each team assumes another owns the decision, VEC attackers exploit the gap. The governing principle is simple: the workflow owner must validate the business relationship before any high-risk action proceeds.
👉 Read our full editorial: Vendor email compromise exposes the limits of legacy email security
