Vendor email compromise (VEC) attacks are bypassing traditional defenses by exploiting human trust rather than technical vulnerabilities, according to a new report by Abnormal AI.
The data in the report shows that 72% of employees at large enterprises engaged with fraudulent vendor emails — replying or forwarding messages that contain no links or attachments. This behavior has fueled attempted thefts topping $300 million globally over the past year, with VEC attacks now showing 90% higher engagement rates than traditional business email compromise (BEC).
The Europe, Middle East, and Africa (EMEA) region has emerged as ground zero for this growing threat. While EMEA employees interact with VEC scams more than any other region, they report just 0.27% of these incidents, the lowest reporting rate worldwide. The telecom sector appeared most vulnerable, with 71.3% employee engagement, followed by energy and utilities at 56.25%, according to the report.
“Email-based social engineering has never been more convincing or more effective,” Mike Britton, CIO at Abnormal AI, said in a press statement. “Attackers are hijacking legitimate vendor threads and crafting sophisticated messages that slip past legacy defenses. Because employees believe these emails are genuine, they are engaging with them at alarming rates.”
The report uncovered particularly risky behavior among EMEA’s junior sales teams, who engage with 86% of VEC attempts. While organizations detect and report 4.22% of traditional BEC attacks, a staggering 98.5% of VEC scams go unreported, often only discovered after financial damage occurs. This stands in sharp contrast to the Asia-Pacific (APAC) regions, where BEC remains the dominant threat with 44.4% employee engagement rates.
Sujit Dubal, an analyst at QKS Group, said, “Gen AI has elevated VEC attacks to surgical precision. We’re no longer talking about obvious phishing attempts – these are meticulously crafted business communications that circumvent multi-factor authentication and other security measures.”
AI amplifies threat complexity
Unlike traditional phishing, VEC attacks mimic legitimate business email threads, often generated using AI to replicate tone, branding, and message history with high accuracy. With no obvious triggers for detection, these emails bypass filters and fool even cautious employees, who, in a tight job market, often rush to resolve perceived issues like missed payments.
“Existing controls like multi-factor authentication are failing against these AI-powered attacks,” Dubal warned. “We need a fundamental strategy shift that addresses psychological manipulation, not just credential verification.”
Perimeter defenses alone can’t stop this AI-driven VEC, he added. “Organizations need three critical upgrades: AI-powered email analytics that detect subtle inconsistencies, active vendor verification protocols, and retrained employees who recognize social engineering, not just technical threats.”
While VEC volume remains lower than phishing or ransomware, its success rate—and potential financial impact—is far greater. “Weaponized AI makes it easier than ever to impersonate trusted vendors,” Britton added, urging organizations to “move beyond reactive training and adopt proactive defenses that block threats before they reach the inbox” to prevent costly human error.
No Responses