You get an email from your accounting software vendor saying they need to update your payment method due to a “system migration.” The email looks legit, uses the right branding, and even references your actual account details. You click through, update your payment info, and think nothing of it.
Three weeks later, you find out that “vendor” just stole $50,000 from your company.
This is vendor email compromise (VEC), the fastest-growing email threat that’s fooling even security-conscious employees. Traditional phishing emails often look obviously suspicious, but VEC attacks abuse the trust you already have with your business partners.
They don’t need to convince you to trust them: they just need to convince you they’re someone you already trust.
98.5% of these attacks go unreported by employees, while 44.2% of employees unknowingly engage with them.
Those are some downright terrifying percentages.
VEC might feel all doom and gloom, but there are practical steps you can take to better recognize (and prevent) VEC attacks from impacting your business. Below, we’ll cover everything you need to know.
What is vendor email compromise (VEC)?
| Vendor email compromise definition Vendor email compromise (VEC) is a cyberattack where criminals impersonate trusted business partners or suppliers to steal money, data, or gain unauthorized access to systems. VEC exploits existing business relationships rather than trying to build trust from scratch. |
VEC attacks work by hijacking or spoofing communications from legitimate vendors, suppliers, or service providers that your organization already works with. Attackers might:
- Compromise a real vendor’s email account
- Create lookalike domains
- Forge emails that appear to come from trusted partners
VEC vs BEC: What’s the difference?
The big difference between VEC and business email compromise (BEC) is the target relationship. BEC attacks impersonate internal executives or colleagues, but VEC focuses on external business partners. This external focus makes VEC harder to detect because employees are already familiar with emails from these vendors and don’t scrutinize them as carefully.
| VEC (Vendor email compromise) | BEC (Business email compromise) | |
| Target | External vendors/suppliers | Internal executives/colleagues |
| Trust Level | High (established business relationship) | Moderate (depends on internal hierarchy) |
| Detection Difficulty | Harder (routine vendor communication) | Easier (unusual executive requests) |
| Engagement Rate | 44% average, up to 71% in some industries | Lower engagement rates |
| Common Scenarios | Invoice changes, payment updates, contract modifications | Wire transfers, gift card requests, urgent payments |
| Reporting Rate | 1.46% (very low) | 4.22% |
In Europe and the Middle East, research shows that people fall for fake vendor emails 90% more often than fake boss emails. It turns out it’s way easier to trick someone when you’re pretending to be their software company instead of their CEO.
Why VEC attacks are a big deal
VEC is becoming a serious business problem. The combination of high success rates and low detection makes VEC one of the most dangerous email threats facing organizations today:
- Massive financial losses: Attackers attempted to steal over $300 million through VEC schemes in just 12 months (with individual companies losing tens of thousands per incident).
- Extremely high success rates: With 44% of employees engaging with VEC messages they read, these attacks succeed far more often than traditional phishing attempts.
- Flying under the radar: Only 1.46% of VEC attacks get reported by employees. That means most organizations don’t even know they’re being targeted until money goes missing.
- Targeting important business functions: VEC attacks often focus on finance, procurement, and vendor management (the exact departments that handle money and sensitive business operations).
- Getting more sophisticated: Attackers can use AI tools to create increasingly convincing vendor impersonations that are nearly impossible to distinguish from real communications.
How vendor email compromise attacks work
VEC attacks tend to follow a fairly predictable playbook that uses the trust and routine nature of vendor communications. Attacks typically look like this:
- Research and reconnaissance: Attackers study your company’s vendor relationships through public information, social media, and sometimes data breaches to find which suppliers you work with.
- Impersonation method: They either compromise a real vendor’s email account through phishing or malware, create lookalike domains that mimic legitimate vendors, or spoof email headers to appear authentic.
- Business context: Attackers collect details about ongoing projects, recent interactions, or account information to make their communications feel real and timely.
- Contact: The fraudulent email uses vendor-specific terminology, references real account details, and maintains the communication style you’d expect from that particular supplier.
- Urgency (without panic): VEC emails present reasonable requests with mild urgency—payment method updates, invoice corrections, or contract modifications that seem routine but time-sensitive.
- Request: The final ask might be updated banking details, credential verification, wire transfer instructions, or access to systems.
5 solid ways to prevent vendor email compromise
Preventing VEC attacks isn’t about becoming paranoid of every vendor email—it’s about building smart verification habits that become second nature. The goal is keeping business moving smoothly while adding just enough friction to catch the fakes before they catch you.
These strategies work because they target the specific vulnerabilities that VEC attacks exploit: trust, routine, and the assumption that familiar-looking emails are automatically safe.
- Implement email authentication protocols
- Establish vendor verification procedures
- Train employees on VEC-specific threats
- Use separate communication channels for financial changes
- Deploy behavioral email security technology
1. Implement email authentication protocols
Email authentication is your first line of defense against domain spoofing, and it’s also where most VEC attacks start. SPF, DKIM, and DMARC work together to verify that emails actually come from who they claim to be from.
Sure, these protocols won’t stop attackers who manage to hack into legitimate vendor accounts, but they’ll block a ton of VEC attempts that rely on fake domains. The trick is getting these set up for your own domain and nudging your vendors to do the same.
When a vendor’s domain doesn’t have proper authentication, it’s a sitting duck for impersonation.
Curious about your current email authentication setup? Use Valimail’s free domain checker to assess your email security posture:
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Your Domain
Not protected AGAINST IMPERSONATION ATTACKS
DMARC NOT AT ENFORCEMENT
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
2. Establish vendor verification procedures
You need a go-to process for double-checking any vendor communication that involves money, account changes, or sensitive stuff. This doesn’t mean calling to confirm every single vendor email (nobody has time for that), but it does mean having clear rules for the risky stuff.
For example, any time someone wants to change banking info or redirect payments, you call them back using a number you already have (not whatever number they conveniently provided in the email). Make this your standard operating procedure, not something you only do when your gut tells you something’s fishy. Attackers are counting on these requests feeling routine enough that verification seems like overkill.
3. Train employees on VEC-specific threats
Your typical phishing training probably focuses on spotting obvious scams—you know, the “urgent CEO needs gift cards” emails. VEC training needs to be different because these attacks actually look legit.
You’re teaching people to pause and verify, not just spot obvious red flags.
Get your team comfortable with being extra careful around vendor emails involving money, account changes, or “urgent” deadlines. Help them understand that real vendors won’t get bent out of shape about verification calls.
Actually, good vendors appreciate clients who take security seriously.
The training that sticks is role-specific. Your finance team deals with different vendor interactions than your sales team, so make it relevant to what they actually see day-to-day.
4. Use separate communication channels for financial changes
Never handle sensitive financial stuff through email alone. Banking changes, payment redirections, contract modifications—all of that needs confirmation through a different channel. Phone calls, secure portals, face-to-face meetings, whatever works for your situation.
This creates a natural chokepoint that trips up attackers. Even if they nail the vendor impersonation via email, they usually can’t extend that act to phone calls or secure systems. Most VEC attacks bank on email being convenient and “secure enough” for everything.
Give your vendors a heads up about this policy so they don’t think you’ve suddenly stopped trusting them. Position it as a mutual security thing, not a “we think you might be criminals” thing.
5. Deploy behavioral email security technology
Modern email security tools use AI to learn communication patterns and spot when something doesn’t feel right. These systems can tell when an email claiming to be from your accounting software vendor doesn’t match how that vendor normally talks, when they usually send emails, or what they typically write about.
Old-school spam filters look for obvious junk, but behavioral analysis catches the fancy stuff that passes basic checks. The technology basically learns what normal looks like for your vendor relationships and raises a flag when something’s off.
It’s not perfect (no technology is), but it adds another layer of protection that doesn’t require your employees to become cybersecurity experts. The good solutions plug into your existing email setup and give you clear alerts when something seems sketchy.
Frequently asked questions
Q: Can email authentication like DMARC prevent VEC attacks?
A: DMARC helps. It’ll stop attackers who create fake domains to impersonate your vendors, but it won’t help if they actually compromise a legitimate vendor’s email account. DMARC is one of the most important layers in your defense, but it’s not a magic shield that blocks everything.
Q: What should I do if I think I’ve received a VEC attack?
A: Don’t panic, but don’t ignore it either. First, don’t click any links or download attachments. Verify the request through a separate communication channel: call the vendor using a number you already have, not one from the suspicious email. If it turns out to be fake, report it to your IT team and warn other employees.
Q: Why don’t employees report VEC attacks more often?
A: Most of the time, employees don’t even realize they’ve been targeted. vendor email compromise emails look so legitimate that people engage with them thinking they’re real business communications. Unlike obvious phishing attempts that people recognize as threats, VEC attacks fly under the radar until money actually goes missing.
Q: Are certain industries more vulnerable to VEC attacks?
A: Yes, telecommunications companies see the highest engagement rates at over 71%, followed by energy and utilities. Still, every industry that works with external vendors (which is basically everyone) faces VEC risks. The factor really isn’t your industry but how well you’ve trained employees to verify vendor communications.
Stop vendor impersonators from hijacking your domain
VEC attacks are getting more sophisticated, but there’s one thing that hasn’t changed: attackers still need to make their emails look like they’re coming from legitimate domains.
But proper email authentication can help.
DMARC won’t stop every vendor email compromise attack, but it eliminates a huge chunk of domain spoofing attempts that make these scams possible in the first place. The problem is that setting up and maintaining DMARC correctly is complicated, time-consuming, and easy to mess up.
That’s where Valimail Monitor comes in. Our free Microsoft 365–integrated solution helps you identify up to 99% of services sending from your domain by name, not just IP. With Monitor, you’ll uncover hidden third-party platforms, unauthorized senders, and shadow IT services abusing your domain, all without having to dig through complex XML reports.
Setting up takes less than five minutes. Just log in with your Microsoft 365 credentials—no MX record changes or complicated configuration required. You’ll get weekly DMARC aggregate reports that are easy to read and act on, even if you’re not a DMARC expert.
When you’re ready to move from visibility to enforcement, you won’t be doing it alone. Valimail has partnered with Abnormal Security to deliver a comprehensive, integrated email security solution. Abnormal provides advanced inbound protection—detecting threats like BEC, VEC, invoice fraud, and insider risk—while Valimail handles outbound authentication, stopping spoofing attacks that use your brand to deceive others. Together, we help secure every angle of your email ecosystem.
Ready to see who’s sending on your behalf and start protecting your domain?
