The Gist
According to the 2024 AFP Payments Fraud Survey, the most common type of business email compromise (BEC) isn’t CEO impersonation anymore—it’s vendor and third party impersonation:
- Executive impersonation has declined by 8%.
- Vendor fraud has jumped to 45%, up from 34% last year.
- Invoice fraud nearly doubled, hitting 24%.
And yet, despite the shift, the industry continues to lump these attacks under the broad “BEC” umbrella.
But here’s the problem: today’s most costly attacks don’t start in your inbox—they start in your vendor’s inbox. That’s not traditional BEC: That’s Vendor Email Compromise (VEC).
This misclassification matters. It obscures the real nature of the threat, and worse: it leads companies to double down on the wrong defenses.
What is Vendor Email Compromise (VEC)?
Vendor Email Compromise (VEC) is a type of cyberattack where fraudsters compromise the email accounts of legitimate vendors or third-party partners. Once inside, they observe billing patterns, gather context, and then send fraudulent messages to their target—your finance team—at exactly the right time.
Imagine this: your accounts payable team receives an invoice from a long-time vendor. It looks legitimate, matches a recent order, and comes from the vendor’s real email address. But the bank details are wrong—and by the time you realize it, thousands of dollars are gone.
Because the message comes from a trusted partner—often timed perfectly to a real billing cycle—these attacks easily bypass email filters and standard controls. And because the fraud originates in a vendor’s inbox, not yours, most internal defenses never see it coming.
How They Do It
Here’s what makes Vendor Email Compromise (VEC) so deceptive—and so effective: the attack doesn’t originate inside your organization. It doesn’t breach your firewalls, trick your employees, or trigger your email filters—because it doesn’t touch your email system at all.
Here’s how it typically plays out:
- The breach happens at your vendor. A cybercriminal gains access to a real vendor’s email account—often via phishing or credential theft.
- They study you. The attacker monitors communications, invoicing patterns, and how the vendor interacts with your accounts payable team.
- They use the vendor’s real account. At the perfect time—aligned with your payment cycle—they send an invoice that looks completely legitimate, except the bank account has been swapped.
- You approve and pay. Because it comes from a trusted partner, there are no red flags. No internal compromise. No alerts.
And here’s the issue with continuing to mislabeled VEC and BEC: No amount of email security on your side will stop it. The email isn’t spoofed. It’s real—and it’s already inside your vendor’s environment.
Trustmi’s Take
VEC isn’t just a subset of BEC—it’s a fundamentally different problem. The entry point isn’t your inbox, it’s your ecosystem. And that’s why companies need additional security that monitors behavior across systems.
At Trustmi, we’ve built a platform that:
- Integrates with ERP and payment systems to detect anomalies
- Monitors vendor behavior and timing, not just message content
- Keeps sensitive banking information out of vulnerable systems
As VEC becomes a dominant form of financial cybercrime, siloed tools simply won’t cut it. You need fraud prevention that sees the whole picture.
Want to see how VEC attacks unfold in a real-world scenario? Watch our 30 minute webinar, Trade Wars & Vendor Risks: 3 Actionable Insights to Avoid Fraud
