Vendor Email Compromise: when the attack comes from a trusted supplier
Learn how Vendor Email Compromise attacks exploit trusted suppliers to steal money, credentials, and business data.
Vendor Email Compromise: when the attack comes from a trusted supplier
Not every cyberattack begins with malware, ransomware, or a complex technical vulnerability. Often, it starts with something much simpler: a seemingly ordinary email sent by a supplier the company already trusts.
An overdue invoice. A request to update bank account details. A new shared document. A reply in an old conversation. An email that appears to come from a familiar business partner.
This is exactly where Vendor Email Compromise, or VEC, comes in: an evolution of Business Email Compromise attacks in which cybercriminals exploit real commercial relationships to deceive finance, administrative, operational, or management teams.
What is Vendor Email Compromise?
Vendor Email Compromise is an attack in which criminals impersonate a supplier, partner, service provider, or organization with which the company already has a business relationship.
The objective may vary, but it usually includes:
- Redirecting payments to fraudulent bank accounts;
- Sending fake invoices;
- Requesting changes to bank account details;
- Stealing employee credentials;
- Obtaining internal documents;
- Joining legitimate conversations to manipulate decisions;
- Compromising other suppliers or customers through the chain of trust.
Unlike traditional phishing, VEC does not rely only on a generic email sent at scale. The attack is more personalized, more contextual, and often much harder to detect.
Why is this attack so dangerous?
The main danger of Vendor Email Compromise is that the attack looks legitimate.
When an employee receives an email from an unknown supplier, some level of suspicion is natural. But when the email appears to come from a company they have worked with for months or years, the perception of risk drops.
Attackers exploit exactly that: trust, routine, and operational pressure.
Imagine this scenario:
The finance team receives an email from a regular supplier saying that its bank account has changed. The message includes the correct company name, the usual signature, the right tone, and even mentions a real invoice. The request seems normal. The payment is made. Only days later does the company discover that the bank account belonged to the attackers.
This type of fraud does not need malware. It does not need dangerous attachments. It does not even need malicious links. It only needs to convince the right person to take the wrong action.
How does a Vendor Email Compromise attack work?
A VEC attack can happen in several ways. Some involve the supplier's real email account. Others use similar domains, spoofed names, or accounts created to imitate the supplier's identity.
1. Reconnaissance
Before sending the email, attackers collect information.
They may review the company's website, look through employees' LinkedIn profiles, map supplier relationships, and search for public documents that reveal how the business works. They may also use data leaks, credentials exposed on the dark web, domains similar to the brand, or old conversations obtained through compromised accounts to make the message feel familiar and believable.
The more context the attacker has, the easier it becomes to write an email that looks like part of a real business conversation.
2. Supplier compromise or impersonation
The attacker then chooses one of two approaches.
The first is to compromise a real supplier account. This is the most dangerous scenario because the email comes from a legitimate account, with real history and previous conversations.
The second is to impersonate the supplier without accessing the real account. In this case, attackers may use very similar domains, make subtle changes to the email address, spoof the display name, copy signatures, reuse real logos, forge documents, or send invoices that visually resemble the real ones.
Example:
finance@supplier-real.com
vs.
finance@supplier-reai.com
At first glance, especially on a mobile phone, the difference can go unnoticed.
3. Creating the pretext
The email usually presents a plausible request.
It may say that the supplier has updated its bank details, attached a corrected invoice, needs an urgent payment, or closed the previous account. In other cases, the message may ask the recipient to confirm order details, access a new billing portal, or open an updated contract through a shared link.
The attacker tries to make the request fit into the company's normal routine. That is why these attacks are particularly dangerous for finance, procurement, HR, operations, and leadership teams.
4. Pressure and urgency
Many attacks include elements of urgency. The message may mention a short payment deadline, threaten service suspension, ask for confidentiality, or pressure the recipient to avoid delays. It may also refer to a meeting, a management decision, or use language that makes additional validation feel unnecessary or inconvenient.
The objective is to reduce reflection time and push the victim to act before confirming the request.
5. Fraud execution
The final phase may involve a payment to a fraudulent account, the disclosure of sensitive data, the download of a malicious file, or the entry of credentials into a fake portal. In some cases, the attacker may also push for bank information to be changed in the internal system or use the initial compromise to reach other employees or customers.
When the fraud is discovered, the money has often already been moved through several accounts, making recovery difficult.
VEC is not only a financial problem
Although many Vendor Email Compromise attacks are linked to payments, the impact can go far beyond financial loss.
A successful attack can cause:
- Theft of confidential data;
- Exposure of contracts;
- Credential compromise;
- Loss of trust with customers and partners;
- Operational disruption;
- Reputational damage;
- Internal investigations and legal costs;
- An entry point for later attacks, such as ransomware.
In many cases, VEC acts as an early stage in the attack chain. The attacker uses trust in the supplier to gain access, collect information, and prepare a larger intrusion.
Why do companies remain vulnerable?
Companies are used to protecting systems, networks, and endpoints. But VEC targets something harder to secure: the trust between people, suppliers, and business processes.
That makes the risk difficult to solve with technology alone. The attack often succeeds because it blends into normal work, uses familiar names, and takes advantage of gaps in internal procedures.
1. Weak validation in financial processes
If a bank account change can be approved by email alone, the company is exposed. Payment workflows need clear validation steps, especially when supplier details, IBANs, invoice instructions, or payment destinations change.
2. Lack of verification through an alternative channel
Sensitive requests should be confirmed through a separate trusted channel, such as a phone number already registered in the supplier record, a video call, or an internal procurement system. Replying to the same email thread is not enough if the thread itself may be compromised.
3. Excessive trust in regular suppliers
Long-standing relationships often reduce suspicion. When a message appears to come from a familiar supplier, employees may skip checks they would normally apply to an unknown sender. Attackers rely on that comfort.
4. No monitoring of similar domains
Domains that look like the company brand or like critical suppliers can be used for impersonation attacks. Without monitoring, these lookalike domains may remain active long enough to support phishing pages, fake invoices, or convincing email campaigns.
5. Generic training
Phishing training based only on spelling mistakes and suspicious links is no longer enough. Many fraudulent emails are now well written, contextual, and visually credible. Teams need to practice realistic scenarios involving supplier changes, payment pressure, fake invoices, and requests that appear to come from trusted business relationships.
Warning signs in a Vendor Email Compromise attack
Vendor Email Compromise is difficult to spot because the message often looks like normal business communication. Still, certain patterns should slow the process down and trigger additional validation.
1. Request to change bank details
Any request to change an IBAN, payment destination, billing account, or supplier bank information should be treated as high risk. Even if the message appears to come from a known contact, the change should be confirmed through an approved channel before any payment is made.
2. Abnormal urgency
Attackers often try to compress decision time. Phrases such as "we need this today", "to avoid service suspension", or "immediate payment required" should be reviewed carefully, especially when they are paired with a financial request.
3. Subtle change in the email address
The sender name may look correct while the actual domain contains a small difference. A swapped letter, an extra word, a hyphen, or a different top-level domain can be enough to make a fraudulent address look familiar at a glance.
4. Request outside the usual process
If a supplier normally sends invoices through a platform and suddenly asks for payment by email, the request should be validated. The same applies when a supplier asks to bypass procurement, change approval steps, or send documents through a new channel.
5. Slightly different tone
Even when an email comes from a real account, the writing style may feel unusual. A different tone, unexpected wording, missing context, or pressure that does not match the relationship can indicate that someone else is controlling the conversation.
6. Links to unknown portals
Links to "new billing portals", "updated invoice systems", or "shared documents" can be used to steal credentials. Before signing in, employees should check whether the domain is legitimate and whether the request matches the supplier's normal process.
7. Unexpected attachments
Unexpected invoices, contracts, archive files, or revised payment instructions should be handled with caution. If the attachment was not expected, it should be verified before opening or forwarding it internally.
How to protect your company against Vendor Email Compromise
Defending against VEC requires more than email filtering. Companies need payment controls, identity protection, supplier validation, and teams that know how to pause when a request feels unusual.
1. Create validation processes for payments
Changes to IBAN, bank details, or payment instructions should never be approved by email alone. The safest approach is to confirm the request through a previously registered contact, require approval from more than one person, record the change formally, and validate it in the internal supplier system before releasing payment.
2. Use multi-factor authentication
Multi-factor authentication reduces the risk of email account compromise, especially when suppliers and employees rely heavily on cloud inboxes. It is not a complete solution, since modern attacks can involve session theft, MFA phishing, or abuse of authorized applications, but it remains an essential layer of protection.
3. Implement SPF, DKIM, and DMARC
SPF, DKIM, and DMARC help reduce spoofing and unauthorized use of domains. When configured properly, they make it harder for attackers to send convincing emails that appear to come directly from the company or its trusted domains.
4. Monitor similar domains
Companies should monitor domains that imitate their brand, products, or critical suppliers. Small variations such as swapped letters, similar-looking characters, hyphens, different extensions, or added words like "billing", "support", "finance", and "invoice" can be used to support impersonation campaigns.
5. Monitor exposed credentials
Credentials exposed on the dark web can be used to compromise email accounts and access real conversations. Continuous monitoring helps identify exposed business emails before attackers use them for account takeover or more convincing VEC attempts.
6. Review supplier permissions and access
Not all suppliers need the same level of access. Companies should apply the principle of least privilege, review supplier accounts regularly, remove old access, segment permissions, and monitor activity that does not match normal behavior.
7. Train teams with real examples
Training should be practical, contextual, and adapted to each role. Finance teams need scenarios involving fake invoices and bank detail changes, HR teams need to recognize suspicious personal data requests, leadership should prepare for executive impersonation, and procurement teams should practice dealing with fake suppliers and urgent payment pressure. The more realistic the training, the stronger the response.
Conclusion
Vendor Email Compromise shows that cyberattacks no longer depend only on technical vulnerabilities. Often, they exploit something much harder to protect: trust.
When an attacker impersonates a real supplier, the psychological barrier drops. The email looks legitimate. The request seems normal. The process feels routine. And that apparent normality is exactly what makes the attack dangerous.
Companies that depend on suppliers, partners, and recurring payments need to look at email security more broadly. Blocking malware is not enough. It is necessary to validate relationships, monitor external signals, protect identities, and prepare employees to recognize suspicious requests even when they seem to come from trusted sources.