- HOME
- Vendor email compromise: What is it, and how can you stay protected?
Vendor email compromise: What is it, and how can you stay protected?
- Last Updated : August 26, 2025
- 8 Views
- 8 Min Read
Email users across the globe are increasingly beginning to understand the importance of email as a common threat vector. Even though certain users continue to fall prey to threat actors’ tactics, email users who are aware of the current cyber attack trends become more vigilant for spotting the common indicators of threat emails. In such cases, they avoid interacting with the email and report them.
In response to the users’ rising awareness, cybercriminals are looking for innovative ways to create cyber attacks that will deceive users and get them closer to their intended motives. They find novel ways to make the email recipient believe that the email is genuine and subtly nudge them to interact with it. When the email lacks the usual markers of phishing emails, the recipients go on to engage with it.
Among the attacks threat actors are leaning on in recent times is vendor email compromise (VEC). VEC is becoming more common, with 83% of organizations having experienced an attack in 2024. In this article, we'll discuss what VEC is, how it works, and the measures organizations can take to protect themselves.
What is vendor email compromise?
Vendor email compromise is an email threat in which cybercriminals gain access to an organization's email accounts, silently observe communication patterns, and use the insights from these patterns to launch a cyber attack on their clients. In VEC attacks, the threat actor poses as the vendor and raises an invoice request, a payment overdue email, or a request for quotation (RFQ) to the vendor's customers either by taking control of the vendor account or by creating a lookalike account.
Based on the prior payment history and the trust that has been built with the vendor, the email recipient (in most cases, the customer organization’s finance department) proceeds to make the payment. The threat actor raises the invoice, sharing their own bank account details in place of the vendor’s details to ensure that the payment is remitted to their account.
The difference between VEC and BEC
Most email users are aware of business email compromise (BEC) attacks. While both VEC and BEC attacks happen in a similar way, the main difference between the two is in the relationship that's shared with the target by the threat actor. BEC attacks prey on the trust built within an organization, making the attacks mostly internal. On the other hand, VEC attacks happen across organizations, with an external vendor that the company conducts transactions with.
| Comparison factor | VEC | BEC |
| Primary target | Vendors, suppliers, and their customers | Business executives, employees, or partners |
| Attack method | Take over vendor accounts or spoof vendor domains to alter invoices/payment details | Impersonate executives, partners, or employees to request wire transfers, gift cards, or sensitive data |
| Trust exploited | Established relationships between the vendor and customer | Organizational hierarchy and authoritative positions such as CEO, CFO, and HR. |
| Common tactics | Fake invoices, fraudulent bank account updates, and hijacked vendor communications | CEO fraud, payroll diversion, and fake requests for urgent transfers |
| Indicators | Sudden changes in vendor bank details, invoices from unusual domains, and unexpected payment requests | Urgent requests from the CEO, pressure to bypass normal approvals, and an unusual tone in message |
Example of a VEC attack
In 2019, Toyota Boshoku Corporation, an automotive components manufacturer that was part of the Toyota group of companies, was the victim of a VEC attack. In this attack, the company lost approximately $37 million (¥4 billion) as a result of an email that was sent by a hacker.
A threat actor, posing to be a business partner of the company, sent an email requesting a fund transfer to the organization’s finance department. For an automotive giant like Toyota, such a huge sum of money may not have seemed too unusual. The person-in-charge made the transfer to the requested account, leading to millions of dollars in losses. This high-impact VEC attack stands out as an example for many organizations.
Stages of a VEC attack
A VEC attack plays out similarly to most other email threats. The main difference is in the silent observation period that hackers carry out and the emulation of emails by observing these patterns. Let's go through the different phases in which threat actors carry out the attack.
Initial phishing attempt
In the first phase, threat actors design a phishing email to prey on the target organization, which in this case is the vendor. For the initial email, cybercriminals use any of their usual social engineering tactics to get the email recipient to reveal sensitive details. In most VEC attacks, the attacker is seeking email account credentials. These initial attacks are rarely targeted in nature. Rather than focusing on just one company, they target multiple companies and hope that some turn out to be fruitful.
Monitoring vendor accounts
Once the threat actor gains a user's account credentials through the phishing attack, they use the credentials to log into the account and monitor all of the ongoing transactions and activities. They gain insights into high-paying customers, billing cycles, frequency of payments, and usual communication patterns. Some threat actors configure mail forwarding rules in the target's accounts to track the communication without raising suspicion.
Sending fake emails as a vendor
With all of the details they've gathered by monitoring the emails exchanged using the target account, the threat actor sends an email to the vendor's customers. They raise invoices or payment requests along with bank account details that ensure money transfer to the criminal's account. Different methods disperse these emails. In some cases, the threat actor impersonates the vendor domain, and in some cases, such as an account takeover, they gain access to the original account, making detection much harder.
Payment made to hacker
When the email recipient gets an email that raises a genuine-looking invoice or a payment overdue notification, they tend to trust the request if the billing date, vendor details, amount owed, and other such details match with the usual request from the vendor. Owing to the trust that's already established with the vendor, they proceed to make the payment to ensure that all dues are cleared. In completing this process, they fail to verify the bank account details, resulting in financial loss.
Why are VEC attacks successful?
In a 2025 report, it was found that enterprise employees engage with VEC threats 72% of the time. This number is surprising, especially for companies that conduct awareness trainings for their employees. The reason for this success is attributed to a combination of previous trust and extensive research.
They exploit an established trust
Most enterprises work with many vendors for their different needs. These relationships are built over time, and there's a certain level of trust established between the vendor and the customer. When a threat actor cites examples of previous payments or purchase orders, the customer tends to believe that the request is, in fact, from the vendor. Because such information is mostly confidential between the vendor and customer, they go ahead and process what's requested in the email.
They come from legitimate sender domains
Most VEC attacks originate from legitimate sender domains. The threat actor gains access to the original account details and sends emails from the vendor's domain. When a customer receives an email containing an invoice or other payment details from the domain they usually communicate with, it doesn't arouse suspicion. By mimicking the content and patterns of the previous emails, the threat actor gains the customer's trust.
The attacks are research-based
After gaining access to the email account, the intruder silently monitors all of the account’s activities. This includes ongoing transactions, AP aging reports, pending billables, billing cycles, and more details that only the vendor and customer would be privy to. When the target receives an email citing such confidential information at the time corresponding to their usual billing cycle, there's a higher chance they’ll believe it.
They bypass traditional security
The threat actor, after gaining access to the vendor's account, uses it to create and send the threat email to customers. Because the email originates from the legitimate account, not just the email recipient, traditional security filters aren’t alerted to the intruder. The email bypasses usual authentication mechanisms such as SPF, DKIM, and DMARC, letting the email land in the user's inbox. Once the email is in the user's view, it's up to them to use their judgment in engaging with the email.
How can you protect your organization from VEC attacks?
VEC attacks are deeply researched and highly targeted in nature, making it a formidable weapon for threat actors. However, organizations can follow protection measures to ensure that their employees won’t be deceived. We'll explore some of them in this section.
1. Learn the markers of VEC emails
Even though threat actors use nuanced tactics to craft VEC emails, there are certain markers that employees should learn to identify.
Unusual bank account changes: Requests to update vendor payment details, often switching to international or unfamiliar accounts, should always be questioned.
Lookalike domains or slight typos: For example, vend0r.com instead of vendor.com or a domain ending in .co instead of .com.
Hijacked or forwarded conversations: Emails will appear in the middle of a real thread, but with subtle changes (like altered invoices or new instructions).
Attachments with slight variations: Invoices that look real but have small discrepancies (wrong logos, mismatched numbers, and changed account details).
Timing misalignment: Requests that don’t match the vendor’s typical billing cycle or contract terms.
Suspicious reply-to address: Email appears to come from a known vendor, but the “reply-to” directs to a different account.
Uncommon payment methods: Requests to switch from bank transfer to wire, crypto, or prepaid accounts.
Failure to align with prior agreements: The request doesn’t reference prior POs, contracts, or official documents the way legitimate invoices would.
2. Implement email authentication mechanisms
Implementing email authentication protocols, such as SPF, DKIM, and DMARC, is essential to prevent attackers from spoofing vendor domains or sending fraudulent invoices. These mechanisms verify whether an email truly originates from the claimed sender, helping organizations detect and block lookalike domains or unauthorized use of a vendor’s identity. This creates an additional layer of trust in vendor communications.
3. Establish multi-step payment approvals
Multi-step payment approvals add an extra layer of defense by ensuring no single employee can authorize high-value or sensitive vendor transactions. Requiring dual authorization—such as one person initiating a payment and another independently verifying vendor details—helps catch fraudulent requests before money leaves the organization. This safeguard not only prevents mistakes, it also makes it significantly harder for VEC scams to succeed.
4. Conduct regular vendor verification
Regularly verifying vendor details, such as bank account information, contact numbers, and billing practices, helps ensure that payment requests are legitimate. Instead of relying solely on email instructions, organizations should confirm changes through trusted channels like phone calls or secure vendor portals. This routine verification builds resilience against VEC attacks, where cybercriminals often insert fraudulent account details into otherwise authentic-looking invoices.
5. Continuously monitor for anomalies
Continuous monitoring helps detect subtle signs of compromise, such as unusual login locations, unexpected email forwarding rules, or sudden changes in vendor communication patterns. By using advanced email security solutions and anomaly detection tools, organizations can quickly flag suspicious behavior before it leads to financial loss. Proactive monitoring ensures that potential VEC attempts are caught early, reducing the window of opportunity for attackers.
6. Conduct employee awareness trainings
Employees in finance, procurement, and accounts departments are prime targets for VEC scams, making regular awareness training essential. Training sessions should cover how to spot red flags in vendor emails, verify payment changes, and escalate suspicious requests without delay. Well-informed employees act as a strong first line of defense, significantly reducing the chances of a costly breach.
7. Deploy an email security solution
One of the most crucial steps in protecting your company from VEC attacks is deploying an email security solution. An advanced email security solution can identify and block suspicious vendor messages that traditional filters often miss. Features like domain similarity detection, behavioral analysis, and threat intelligence help flag fraudulent invoices or compromised accounts before they reach employees. By providing detailed threat reports and automating anomaly detection, these solutions add a critical safety net against sophisticated VEC scams.
Wrapping up
eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.