May 14, 2026

BEC vs VEC: what is the difference and why are both dangerous?

Understand the difference between Business Email Compromise and Vendor Email Compromise, how these attacks are connected, and how to protect your company from financial fraud.

BEC vs VEC: what is the difference and why are both dangerous?

Digital financial fraud is becoming increasingly sophisticated. Among the most common attacks against companies are Business Email Compromise, also known as BEC, and VEC, which happens when criminals take control of a legitimate vendor email account.

Although these two attacks are related, they are not exactly the same. Understanding the difference between them is essential to protect finance teams, vendors, customers, and payment processes.

What is Business Email Compromise?

Business Email Compromise is a type of fraud where criminals use email to deceive companies and convince employees to make payments, change bank details, or send sensitive information.

In this type of attack, the criminal may impersonate an executive, a vendor, a partner, or someone with authority inside the company. The goal is to create a message convincing enough for the victim to take a financial action without properly verifying it.

A common example is an email that appears to come from the CEO requesting an urgent transfer to a specific account. Another example is a message that seems to come from a vendor saying that their bank details have changed.

What is Vendor Email Compromise?

Vendor Email Compromise happens when criminals gain real access to a vendor’s email account. Instead of simply pretending to be the vendor, they use the compromised account itself to communicate with customers and partners.

This makes the attack much more dangerous because the message comes from a legitimate address, with real conversation history and, in many cases, access to invoices, contracts, and previous payment details.

In this scenario, the criminal may monitor conversations for some time and wait for the right moment to send a fraudulent instruction, such as an IBAN change request or a new invoice with fake bank details.

What is the main difference ?

The main difference is the origin of the communication.

In traditional BEC, the criminal may use a lookalike domain, a fake email address, an internally compromised account, or spoofing techniques to impersonate someone.

In VEC, the criminal uses a real account belonging to a legitimate vendor. This means the communication may look completely normal because it comes from the company’s usual contact.

Simply put:

  • BEC is a broader category of business email fraud.
  • VEC is a specific type of attack that can be used within a BEC fraud scenario.

How are these attacks connected?

In practice, Vendor Email Compromise can be used to carry out a Business Email Compromise attack.

For example, if a criminal compromises a vendor’s email account, they can send a message to a customer’s finance team requesting a change in bank details. Because the request comes from a real account, the team may believe it is legitimate.

This scenario combines both concepts:

  • The compromised account belongs to the vendor;
  • The fraud happens through business email communication;
  • The objective is to manipulate a payment;
  • The victim trusts the existing commercial relationship.

For this reason, Vendor Email Compromise can be seen as one of the most dangerous forms of BEC, especially when it involves recurring payments, pending invoices, or strategic vendors.

Practical example

Imagine a company has worked with the same service provider for years. Every month, it receives an invoice by email and makes the payment to the registered IBAN.

One day, the finance team receives a message from the vendor’s usual email address:

“We have updated our bank details. From this month onward, please use the new IBAN listed in the attached invoice.”

The email looks legitimate. The signature is correct. The conversation history exists. The attachment looks normal.

However, the vendor’s account has been compromised. The new IBAN belongs to the criminals. If the company makes the payment without additional verification, the money will be redirected.

Why are these attacks so dangerous?

The greatest risk is trust. Companies are used to communicating by email with vendors, customers, banks, and partners. Criminals exploit this routine to introduce small changes into existing processes.

These attacks often do not look technical. They exploit human behavior, time pressure, and weaknesses in internal approval processes.

Attackers may use real information, such as invoice numbers, employee names, payment dates, and correct amounts. This makes the fraud much more convincing.

Warning signs

BEC and VEC attacks often look legitimate. They may come from a real inbox, include real context, and follow an existing conversation.

Watch for signs such as:

  • Sudden change in payment details, such as a new IBAN or beneficiary name;
  • Urgency around a payment, invoice, or account update;
  • Pressure to bypass approvals, procurement, or the usual process;
  • Request to keep the transaction confidential;
  • Tone, wording, or pressure that feels out of character;
  • Small changes in invoices, signatures, bank details, or payment references;
  • Unexpected CCs, changed Reply-To addresses, or new contacts in the thread;
  • Vague answers when confirmation is requested;
  • Financial instructions outside the normal pattern.

Even when the email comes from a legitimate account, these signs should be taken seriously. Pause, verify through a trusted channel, and follow the approval process before changing payment or vendor details.

How to protect your company

The best defense is to create processes that do not rely only on trust in email.

Any change in bank details should be confirmed through an independent channel, such as a call to a phone number already registered in the company’s vendor records. Never rely only on the phone number or contact details provided in the suspicious email itself.

It is also important to implement dual approval for sensitive payments, especially when they involve new vendors, new IBANs, or high-value transfers.

Finance, procurement, and administration teams should receive regular training to recognize fraud attempts and know how to act before approving payments.

Recommended best practices

To reduce the risk of BEC and VEC, companies should adopt measures such as:

  • Multi-factor authentication on email accounts;
  • Independent confirmation of bank detail changes;
  • Formal process for updating vendor information;
  • Dual approval for critical payments;
  • Monitoring of lookalike domains;
  • Continuous training against phishing and social engineering;
  • Regular review of official vendor contacts;
  • Alerts for unusual changes in invoices;

Technology helps, but internal processes are just as important. A simple confirmation phone call can prevent a significant financial loss.

Conclusion

BEC and VEC are different threats, but they are deeply connected. BEC represents business email fraud in a broader sense, while VEC happens when a real vendor account is compromised and used to deceive customers or partners.

The danger lies in the fact that these attacks appear legitimate. The message may come from a real account, include accurate information, and be part of an existing conversation.

For this reason, companies should not rely only on email to approve payments or change bank details. For any sensitive financial request, the rule should be simple: verify before you pay.