Outsmarting Vendor Email Compromise
Security Fundamentals · Updated Jul 2026
You probably already know what phishing is. You may even know about Business Email Compromise (BEC). Vendor Email Compromise (VEC) is the more advanced, more targeted evolution, and it’s the one most likely to slip past your existing controls, because it arrives inside a relationship you already trust.

Understanding Vendor Email Compromise
VEC is a targeted type of BEC where attackers gain access to a vendor’s email system and exploit the existing trust between the vendor and its clients. It differs from traditional phishing in one crucial way: instead of impersonating a stranger, the attacker becomes a business partner you’ve been emailing for years.
Mechanism of attack
- Initial compromise. Attackers breach a vendor’s email account and gain access to their conversations.
- Domain mimicking. They register a deceptive lookalike address with a change subtle enough to overlook. Real:
johndoe@xyzsupplies.com. Fake:johndoe@xyz-supplies.com. - Continuation of existing threads. They reply inside real, ongoing conversations, copying historical context so the request feels like business as usual.
- Exploitation of trust. The client, trusting their vendor, processes the request without suspicion.
A realistic walkthrough
Imagine a medium-sized company, ABC Corp, that has worked with a trusted vendor, XYZ Supplies, for years. Their communication happens almost entirely over email.
The attack begins. Unbeknownst to XYZ Supplies, their email system is compromised. The attacker now has their email database, including every ongoing thread with clients like ABC Corp. The attacker registers john.doe@xyz-supplies.com, one hyphen away from the real john.doe@xyzsupplies.com.
ABC Corp’s experience. Sarah at ABC Corp receives an email that seamlessly continues an existing conversation about a recent order. It appears to be from John Doe at XYZ Supplies and references details only John would know. The email requests payment for the order, citing a change in bank details due to “internal auditing.” Recognizing the thread and the professional tone, Sarah processes the payment.
The discovery. Weeks later, on a routine follow-up call, John mentions he never received payment. Sarah refers to the email about the bank change. John has no idea what she’s talking about: XYZ Supplies never changed their bank details. The investigation confirms a VEC attack, and the fraudulent email was practically indistinguishable from legitimate communication.
Why VEC is so effective
- Trust exploitation. Businesses don’t expect their vendors to be the threat.
- Real conversation continuation. There’s no suspicious “first contact” moment to catch.
- Mimicked domains. A single hyphen or dot is easy to miss in a busy inbox.
- Persistence after discovery. Even when the vendor finds the breach and locks down their systems, attackers keep copies of the conversations and can continue operating from the spoofed domain.
- The illusion of legitimacy. Familiar threads plus a familiar-looking address maintain the illusion end to end.
How to protect your business
Defending against VEC boils down to two components: people and process.
People
Enhanced awareness. Run regular training that uses real-world VEC examples, not just generic phishing. Send simulated phishing tests that mirror VEC patterns. Keep teams updated on current scam tactics.
Regular vendor communication. Verify and update vendor contact information on a schedule. Assess your critical vendors’ security posture, and where the relationship supports it, align on security practices together.
Process
Strong verification protocols. Any change to financial or sensitive details received by email gets confirmed through a second channel: a phone call to a pre-established number or a video call. Set up an internal approval process for payments that deviate from routine patterns.
Advanced email security. Invest in filtering that detects spoofed domains and phishing attempts, add visual indicators for external senders, and audit your DMARC, SPF, and DKIM configuration. Then ask your critical vendors about theirs.
Conclusion
VEC capitalizes on the two things businesses rely on most: trusted relationships and ongoing conversations. You beat it with awareness, verification protocols that don’t make exceptions for “urgent” requests, and a culture where double-checking a bank change is treated as professionalism, not paranoia.