Outsmarting Vendor Email Compromise

VEC is BEC's quieter, scarier cousin — how it works, why it lands, and how to stop falling for it.

VEC is BEC’s quieter, scarier cousin — how it works, why it lands, and how to stop falling for it.

You probably already know what phishing is. You may even know about Business Email Compromise (BEC). But Vendor Email Compromise (VEC) is the more dangerous, more targeted evolution — and it’s the one most likely to slip past your existing controls.

What VEC actually is

VEC is a flavor of BEC where attackers compromise a vendor’s email system, then exploit the trust between that vendor and its clients. The result: emails that look exactly like the ones you’ve been getting from your vendor for years, because they almost are.

How the attack tends to play out

Initial compromise: attackers get into a vendor’s email account.
Domain mimicking: a deceptive lookalike address goes out — johndoe@thevendor-company.com instead of thevendor.company.com.
Continuation of existing threads: they reply within real, ongoing email conversations and copy historical context to make the request feel natural.
Exploitation of trust: the business processes the payment because the relationship feels normal.

A made-up-but-realistic example

Imagine “ABC Corp” working with “The Vendor Company”. An attacker compromises the vendor, spoofs an internal user, and replies inside an existing payment thread — quietly changing the bank routing details under the guise of “internal auditing.” Days or weeks later, ABC Corp realizes the payment never went where it was meant to.

Why it works

Trust exploitation: people don’t expect their vendors to be the threat.
Real conversation continuation: there’s no obvious “first contact” red flag.
Domain mimicry: a single hyphen or dot is easy to miss in a busy inbox.
Persistence: even if the vendor identifies the breach, attackers often have copies of conversations to keep operating from elsewhere.

What actually helps

Treat any banking-detail change as out-of-band — call your vendor on a known phone number to confirm.
Add visual cues for external senders, even when the domain looks similar.
Run phishing simulations that mirror VEC patterns, not just generic phishing.
Audit DMARC/SPF/DKIM, and ask the same of your critical vendors.
Train AP and finance teams to escalate any “urgent” payment changes by default.