Notifications
Clear all
Topic starter
27/06/2026 1:44 pm
TL;DR: Vendor email compromise now makes up 61% of business email compromise, while billing account update requests carry a 26.5% compromise rate, showing attackers are optimising for trusted relationships and financial workflow disruption, according to Abnormal AI’s 2026 Attack Landscape Report. The lesson is that identity governance has to extend beyond users to the approval chains and vendor relationships that BEC exploits.
NHIMG editorial — based on content published by Abnormal AI: Abnormal AI 2026 Attack Landscape Report on threat actors targeting human behavior and trusted relationships
By the numbers:
- Vendor email compromise now accounts for 61% of all business email compromise attacks.
- 21.6%, than one in five phishing attacks, 21.6%, now use redirect chains.
Questions worth separating out
Q: How should organisations prevent vendor email compromise from bypassing normal approval workflows?
A: Organisations should treat vendor requests that change payment, account, or billing details as high-risk identity events.
Q: Why do billing account update requests create a higher fraud risk than routine invoices?
A: Billing updates can redirect future payments, so one successful request can create durable financial impact.
Q: What should security teams monitor to detect trust-based email attacks earlier?
A: Security teams should monitor for unusual vendor relationship changes, internal impersonation patterns, and requests that pressure finance to act outside normal review paths.
Practitioner guidance
- Reclassify billing changes as identity-controlled events Require independent validation for any request that changes payee details, bank routing, or payment authority.
- Tighten supplier communication verification Use a verified callback process for vendor requests, with known contact records and a second channel for confirmation before action.
- Reduce internal impersonation leverage Limit who can authorise urgent financial exceptions and monitor for unusual internal request patterns that mimic colleague language or timing.
What's in the full report
Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:
- Breakdowns of attack patterns by email tactic, including how attackers tailor messages to target behaviour.
- Sector-level findings on where lateral attacks and vendor impersonation are most effective.
- Methodology notes for the nearly 800,000 email attacks analysed across 4,600+ organisations.
- Additional context on how business workflows shape compromise rates across request types.
👉 Read Abnormal AI's 2026 Attack Landscape Report on vendor email compromise and BEC →
Vendor email compromise: what it means for IAM and finance controls?
Explore further
27/06/2026 3:10 pm
Vendor email compromise is now an identity governance problem, not just an email security problem. The report’s 61% figure shows that attackers increasingly win by abusing trusted business relationships rather than breaking authentication. That shifts the control question from message filtering to authorisation of requesters, approvers, and workflow exceptions. Practitioners should treat supplier-facing approval paths as governed identity channels, not informal communication.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- The same research says only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is a useful benchmark for programme maturity.
A question worth separating out:
Q: Who should own controls for vendor-related business email compromise?
A: Ownership should sit across IAM, finance operations, and security because the attack exploits both identity trust and payment workflow authority. IAM defines who can request and approve changes, finance owns the payment controls, and security detects impersonation and account compromise. Shared accountability is essential because this is not only an email problem.
👉 Read our full editorial: Vendor email compromise is reshaping BEC and finance workflows
