{"id":3437,"date":"2025-06-04T12:17:04","date_gmt":"2025-06-04T12:17:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3437"},"modified":"2025-06-04T12:17:04","modified_gmt":"2025-06-04T12:17:04","slug":"vendor-email-compromise-the-silent-300m-threat-cisos-cant-ignore","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3437","title":{"rendered":"Vendor email compromise: The silent $300M threat CISOs can\u2019t ignore"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Vendor email compromise (VEC) attacks are bypassing traditional defenses by exploiting human trust rather than technical vulnerabilities, according to a new report by Abnormal AI.<\/p>\n

The data in the report shows that 72% of employees at large enterprises engaged with fraudulent vendor emails \u2014 replying or forwarding messages that contain no links or attachments. This behavior has fueled attempted thefts topping $300 million globally over the past year, with VEC attacks now showing 90% higher engagement rates than traditional business email compromise (BEC<\/a>).<\/p>\n

The Europe, Middle East, and Africa (EMEA) region has emerged as ground zero for this growing threat. While EMEA employees interact with VEC scams more than any other region, they report just 0.27% of these incidents, the lowest reporting rate worldwide. The telecom sector appeared most vulnerable, with 71.3% employee engagement, followed by energy and utilities at 56.25%, according to the report.<\/p>\n

\u201cEmail-based social engineering has never been more convincing or more effective,\u201d Mike Britton, CIO at Abnormal AI, said in a press statement<\/a>. \u201cAttackers are hijacking legitimate vendor threads and crafting sophisticated messages that slip past legacy defenses. Because employees believe these emails are genuine, they are engaging with them at alarming rates.\u201d<\/p>\n

The report uncovered particularly risky behavior among EMEA\u2019s junior sales teams, who engage with 86% of VEC attempts. While organizations detect and report 4.22% of traditional BEC attacks, a staggering 98.5% of VEC scams go unreported, often only discovered after financial damage occurs. This stands in sharp contrast to the Asia-Pacific (APAC) regions, where BEC remains the dominant threat with 44.4% employee engagement rates.<\/p>\n

Sujit Dubal<\/a>, an analyst at QKS Group, said, \u201cGen AI has elevated VEC attacks to surgical precision. We\u2019re no longer talking about obvious phishing attempts \u2013 these are meticulously crafted business communications that circumvent multi-factor authentication<\/a> and other security measures.\u201d\u00a0<\/p>\n

AI amplifies threat complexity<\/strong><\/h2>\n

Unlike traditional phishing<\/a>, VEC attacks mimic legitimate business email threads, often generated using AI to replicate tone, branding, and message history with high accuracy. With no obvious triggers for detection, these emails bypass filters and fool even cautious employees, who, in a tight job market, often rush to resolve perceived issues like missed payments.<\/p>\n

\u201cExisting controls like multi-factor authentication are failing against these AI-powered attacks<\/a>,\u201d Dubal warned. \u201cWe need a fundamental strategy shift that addresses psychological manipulation, not just credential verification.\u201d<\/p>\n

Perimeter defenses alone can\u2019t stop this AI-driven VEC, he added. \u201cOrganizations need three critical upgrades: AI-powered email analytics that detect subtle inconsistencies, active vendor verification protocols, and retrained employees who recognize social engineering, not just technical threats.\u201d<\/p>\n

While VEC volume remains lower than phishing or ransomware, its success rate\u2014and potential financial impact\u2014is far greater. \u201cWeaponized AI makes it easier than ever to impersonate trusted vendors,\u201d Britton added, urging organizations to \u201cmove beyond reactive training and adopt proactive defenses that block threats before they reach the inbox\u201d to prevent costly human error.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Vendor email compromise (VEC) attacks are bypassing traditional defenses by exploiting human trust rather than technical vulnerabilities, according to a new report by Abnormal AI. The data in the report shows that 72% of employees at large enterprises engaged with fraudulent vendor emails \u2014 replying or forwarding messages that contain no links or attachments. This […]<\/p>\n","protected":false},"author":0,"featured_media":3436,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3437"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3437"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3437\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3436"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}