Phishing & Social Engineering
What Is Vendor Email Compromise?
Vendor Email Compromise (VEC), also called financial supply chain compromise, is a sophisticated Business Email Compromise variant in which an attacker compromises or impersonates a third-party vendor's email account to send fraudulent invoices, payment redirects, or other financially motivated m...
Vendor Email Compromise (VEC), also called financial supply chain compromise, is a sophisticated Business Email Compromise variant in which an attacker compromises or impersonates a third-party vendor's email account to send fraudulent invoices, payment redirects, or other financially motivated messages to that vendor's customers.
How does vendor email compromise work?
VEC attacks are sophisticated, multi-staged operations spanning weeks to months, requiring planning and patience that distinguishes them from lower-effort phishing campaigns. The attacker begins with extensive reconnaissance on the target vendor, its client relationships, billing cycles, and payment structures. This intelligence-gathering phase involves analyzing public records, analyzing business filings, examining LinkedIn and professional profiles, and researching vendor websites to understand invoicing patterns, typical transaction amounts, and key contact relationships. The attacker maps the financial flows between the vendor and its customers, identifying which relationships involve the largest transaction values.
Once reconnaissance concludes, the attacker executes one of two acquisition strategies. The first is compromising the vendor's email account via phishing campaigns targeting vendor employees, credential stuffing attacks against vendor email systems, or purchasing compromised vendor credentials from dark web marketplaces. The second is registering a lookalike domain visually similar to the vendor's legitimate address—replacing 'l' with '1', using .cam instead of .com, or subtle misspellings that appear legitimate at a glance.
If account compromise succeeds, the attacker's access is substantial. The attacker establishes email forwarding rules or creates new mailbox rules to silently monitor financial conversations—invoices, payment schedules, contract discussions, payment terms negotiations—without the vendor's knowledge or visibility. The attacker reviews months of prior correspondence to understand communication styles, typical invoice formats, standard payment terms, and key customer relationships. The attacker then waits patiently for an approaching billing cycle or payment milestone before intervening with surgical precision. The payload involves sending modified invoices or payment redirect instructions that alter banking details, routing numbers, or account information. The requests appear legitimate because they reference real services, real invoice numbers, real business relationships, and maintain the established tone and format of the vendor's communications. Misdirected payments are quickly moved through multiple accounts and jurisdictions—often converted to cryptocurrency or transferred internationally—to complicate recovery and trace attempts. Abnormal AI documented a single VEC attempt targeting $36 million in fraudulent payments (Abnormal AI, 2023).
How does vendor email compromise differ from business email compromise?
Dimension | Vendor Email Compromise (VEC) | Business Email Compromise (BEC) | Lateral Phishing | Spear Phishing |
|---|---|---|---|---|
Impersonated Party | External vendor/supplier | Internal executive or colleague | Internal employee (compromised) | Any trusted party |
Relationship Exploited | Inter-organizational (vendor-customer) | Intra-organizational (executive-employee) | Intra-organizational | Various |
Primary Goal | Invoice fraud, payment diversion | Wire transfer fraud, data theft | Credential harvesting, further account takeover | Credential theft, malware, espionage |
Research Required | Extensive (weeks-months) understanding billing cycles and payment structures | Moderate organizational hierarchy knowledge | Moderate internal contacts research | Moderate target-specific research |
Sophistication Level | Very high | High | Medium-high | Medium-high |
Average Payout | High—targets large vendor invoices; notable cases involve $37M-$100M | Medium-high ($120K-$150K average per FBI) | Low per incident (credential harvesting) | Variable by target |
Scope of Impact | Both vendor and all customers (supply chain contagion) | Single organization | Single organization and partners | Single target |
Detection Timeline | Long—average 233 days before discovery | Variable—hours to weeks | Short-medium | Short |
Ideal for | Exploiting trusted financial relationships with large transaction values | Defrauding finance departments at a single organization | Obtaining credentials for lateral movement | Targeted espionage or data theft |
Neither is universally better. VEC exploits supply chain relationships at scale; BEC exploits internal hierarchy for directness.
Why has vendor email compromise gained traction?
VEC attacks surged 66% during the first half of 2024, according to Abnormal AI (2024). In the financial services sector specifically, VEC attacks rose 137% year-over-year in 2023 (Abnormal AI, 2024). This growth is driven by lucrative payouts: individual VEC incidents have targeted amounts as high as $100 million (the Google/Facebook case involving Lithuanian national Evaldas Rimasauskas impersonating Quanta Computer in 2013-2015). Broader BEC losses—which include VEC—totaled $2.77 billion across 21,442 reported incidents in 2024 alone, representing over 17% of the $16.6 billion in total cybercrime losses reported to the FBI (FBI IC3, 2024). The category has caused $55 billion in reported losses from October 2013 through December 2023 (FBI IC3 PSA, 2024). However, VEC's growth trajectory outpaces BEC in certain regions: in EMEA, second-step engagement with VEC emails (replies or forwards) reached 47.3%, nearly double that of BEC (MSSP Alert, 2024).
The average dwell time before VEC detection is approximately 233 days (IBM, cited by Heimdal Security, 2024), allowing attackers extended time to position themselves within vendor relationships before executing fraud.
What are the limitations of vendor email compromise?
VEC requires extended reconnaissance—weeks to months of preparation involving detailed understanding of billing cycles, payment structures, and business relationships. This makes VEC less scalable than standard phishing. Out-of-band verification defeats the attack entirely: a simple phone call to the vendor using a previously established phone number to verify payment changes neutralizes VEC, making it the single most effective countermeasure.
Lookalike domains, while effective, can be detected through domain monitoring services and careful inspection of sender addresses. Organizations with strong payment change verification procedures—dual authorization, callback verification, and separation of duties—significantly reduce VEC risk. AI-based systems that baseline normal vendor invoicing patterns can detect anomalies in invoice amounts, timing, payment details, or communication style. The attacker must also time the fraud to coincide with genuine payment cycles; mis-timed requests raise suspicion. Finally, if fraud is detected quickly, financial institutions can sometimes freeze and recover misdirected funds, making early detection valuable.
How can organizations defend against vendor email compromise?
Verify all payment change requests through phone calls to known, pre-established vendor contact numbers—never using contact information from the suspicious email itself. This single control defeats most VEC attempts. Deploy AI-powered email security platforms that analyze sender behavior, communication patterns, invoice anomalies, and domain age to detect VEC attempts. Implement strict email authentication (DMARC, SPF, DKIM) at enforcement levels to block exact-domain spoofing, though note this does not protect against lookalike domains or compromised legitimate accounts.
Monitor for registration of lookalike domains mimicking your organization or your vendors' domains. Implement financial process controls including dual authorization for payment changes, separation of duties between invoice approval and payment execution, and mandatory verification procedures for vendor banking detail changes. Assess vendors' email security posture as part of third-party risk management, requiring vendors to implement MFA and email authentication. Train accounts payable and finance teams specifically on VEC tactics, including recognizing urgency cues, verifying payment changes, and inspecting sender domains carefully. Where possible, use authenticated vendor payment portals rather than email-based payment instructions. Establish rapid response procedures for suspected VEC, including immediate contact with the financial institution to freeze transfers, law enforcement notification, and vendor notification.
FAQs
Q: How does vendor email compromise differ from business email compromise?
BEC involves impersonating internal executives or colleagues to trick employees into wire transfers or data disclosure. VEC specifically targets vendor-customer relationships—the attacker compromises or impersonates an external vendor/supplier to send fraudulent invoices or payment redirects to the vendor's customers. VEC typically requires more extensive research (billing cycles, payment structures, client lists) and can yield larger payouts because it exploits trusted financial relationships between organizations (Cloudflare, 2024; Heimdal Security, 2024).
Q: How much money has been lost to vendor email compromise?
VEC losses are tracked within broader BEC reporting. The FBI IC3 reports that BEC (including VEC) caused $55 billion in reported losses from 2013 through 2023, with $2.77 billion lost in 2024 alone. Individual VEC incidents have targeted amounts as high as $100 million (Google/Facebook case) and $37 million (Toyota Boshoku). VEC attacks rose 66% during H1 2024 (FBI IC3, 2024; Abnormal AI, 2024).
Q: What is the simplest defense against VEC?
The single most effective defense is out-of-band verification: before processing any vendor payment change (new bank account, updated routing information, modified invoice), call the vendor using a phone number from your existing records (not from the email) to verify the request. Legitimate vendors always appreciate this security step (Cloudflare, 2024; Proofpoint, 2024).
Q: How long does a VEC attack typically go undetected?
VEC attacks have an average dwell time of approximately 233 days (about 7.5 months) before detection. The extended reconnaissance, monitoring, and timing phases mean attackers can be inside a vendor's email system for months before executing the fraud (IBM, cited by Heimdal Security, 2024).
Q: Can email authentication (DMARC) prevent VEC?
DMARC with p=reject prevents exact-domain spoofing, blocking one VEC variant. However, DMARC does not protect against compromised legitimate vendor accounts (where the email genuinely originates from the vendor's domain) or lookalike domains (which use different, newly registered domains). VEC defense requires layered controls including AI-based email security, payment verification procedures, and domain monitoring (Valimail, 2024).
