Notifications
Clear all
Topic starter
27/06/2026 1:44 pm
TL;DR: Vendor email compromise reaches employees at a 44% rate, third-party involvement in breaches doubled in 2024, and vendor fraud drove more than $51B in reported losses from 2013 to 2022, according to Abnormal AI and Verizon’s 2025 DBIR. The governance gap is not alert volume, it is weak visibility into vendor relationships and the trust assumptions built into business communications.
NHIMG editorial — based on content published by Abnormal AI: LLMjacking: How Attackers Hijack AI Using Compromised NHIs
By the numbers:
- Vendor fraud contributed to more than $51B in reported losses between 2013 and 2022.
- Abnormal prevented $349M in vendor fraud losses for customers in 2023 and stopped a single $36M invoice fraud attempt.
Questions worth separating out
Q: How should security teams handle vendor email compromise in enterprise environments?
A: Security teams should treat vendor email compromise as a trust and lifecycle problem, not only a phishing problem.
Q: Why does vendor fraud remain so effective even when email security is mature?
A: Vendor fraud remains effective because it exploits legitimate business context rather than obvious malicious content.
Q: What breaks when organisations rely on static vendor lists for fraud prevention?
A: Static vendor lists break down because they cannot reflect changing contacts, domains, countries, and interaction patterns.
Practitioner guidance
- Map active vendor relationships continuously Build an always-updated inventory of vendors that actually interact with employees, including contacts, domains, countries, and recurring communication paths.
- Bind approvals to vendor behaviour signals Require additional verification when vendor sender patterns, payment language, recipient lists, or IP geography change unexpectedly.
- Review third-party escalation paths Identify where vendor messages can trigger payment, procurement, or access changes without a second control.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- How VendorBase creates and updates vendor profiles from live communication activity.
- The specific vendor risk signals used in continuous scoring and how they are combined.
- Examples of suspicious email timelines and the fields analysts can review during triage.
- The customer impact claims and business case details behind the prevention figures cited in the article.
👉 Read Abnormal AI's analysis of vendor email compromise and VendorBase →
Vendor email compromise: what IAM teams are missing in supply chains?
Explore further
27/06/2026 3:11 pm
Vendor email compromise is a governance problem, not just a detection problem. The article shows that attackers succeed by exploiting trusted business relationships, which means the core failure is weak lifecycle visibility into third-party identity and communication paths. When organisations do not continuously know which vendors are active, how they interact, and what changed, they cannot govern the trust boundary effectively. Practitioners should treat vendor trust as an identity lifecycle issue, not as a mailbox tuning issue.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- 46% confirmed and 26% suspected a breach of non-human identities in the same research, showing how often governance gaps remain hidden until impact is visible.
A question worth separating out:
Q: Who is accountable when a fraudulent vendor request leads to payment loss?
A: Accountability should sit with the control owners who govern third-party trust, approval paths, and payment verification, not only with the mailbox team. If vendor requests can trigger money movement without independent confirmation, the governance failure is in business process design as much as in detection.
👉 Read our full editorial: Vendor email compromise is exposing a major supply-chain blind spot
