Notifications
Clear all
Topic starter
27/06/2026 1:39 pm
TL;DR: Vendor email compromise makes up a major share of BEC, with 61% of attacks impersonating external third parties and 87.5% of high-risk VEC using impersonation, according to Abnormal AI's 2026 Attack Landscape Report. The lesson is that workflow-aware verification, not executive-focused filtering, is now the deciding control.
NHIMG editorial — based on content published by Abnormal AI: Key insights from the 2026 Attack Landscape Report on vendor email compromise
By the numbers:
Questions worth separating out
Q: How should organisations verify vendor payment changes without creating too much friction?
A: Use a separate confirmation path for bank detail changes, payee updates, and payment redirects.
Q: Why do vendor impersonation attacks work even when email security is in place?
A: Because the attacker is often matching a real business workflow, not trying to defeat mailbox security alone.
Q: What do security teams get wrong about sales-facing fraud risk?
A: They often focus on phishing training for executives while missing that sales teams are optimized to respond quickly to unfamiliar external requests.
Practitioner guidance
- Separate vendor change requests from routine invoice handling Require independent verification for bank-detail changes, payment redirects, and new payee setup.
- Tune controls by business role and workflow Apply stricter review paths for finance, procurement, and sales intake because each faces a different pretext mix.
- Block trust transfer from external identity to internal action Make sure a familiar sender, historical thread, or professional-looking invoice cannot by itself authorise a payment or data disclosure.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- The full breakdown of invoice inquiry, billing account update, payment inquiry, and RFQ fraud patterns by sector.
- The underlying dataset logic for why some pretexts rely on impersonation while others more often require a compromised vendor account.
- Industry and role-by-role exposure patterns that help finance, procurement, sales, and government teams tune controls.
- The article's broader 2026 Attack Landscape Report context, including how vendor relationships shape the BEC attack surface.
👉 Read Abnormal AI's analysis of vendor email compromise and BEC exposure →
Vendor email compromise: what IAM and finance teams are missing?
Explore further
27/06/2026 3:04 pm
Vendor email compromise is a workflow identity problem, not just a phishing problem. The article shows that attackers succeed by matching the identity expectations embedded in billing, procurement, and sales processes. That means the real control gap is not only message inspection, but whether the business can prove that a request belongs in that workflow at that moment. Practitioners should treat external email as a business identity assertion that must be validated against context, not assumed because it looks routine.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
A question worth separating out:
Q: Who should own controls for vendor email compromise?
A: Finance, procurement, sales, and identity security should share ownership, because the attack crosses process and control boundaries. Finance owns payment changes, sales owns lead intake, procurement owns supplier validation, and identity teams should provide the verification model and exception handling.
👉 Read our full editorial: Vendor email compromise shows why workflow-aware fraud controls matter
