Employees repeatedly fall for vendor email compromise attacks

In just 12 months, attackers attempted to steal more than $300 million via vendor email compromise (VEC), with 7% of engagements coming from employees who had engaged with a previous attack, according to Abnormal AI.

Vendor email compromise risks increase with organization size

Employees struggle to differentiate between legitimate messages and attacks, especially when those emails appear to come from a trusted vendor. Employees in the largest organizations, with workforces of 50,000 or more, had the highest rate of second-step engagement with VEC.

Across all regions, 72% of employees at large enterprises who read a VEC message went on to engage with it further, taking follow-up actions such as replying or forwarding.

“Email-based social engineering has never been more convincing or more effective,” said Mike Britton, CIO at Abnormal AI. “Attackers are hijacking legitimate vendor threads and crafting sophisticated messages that pass undetected through legacy defences. And because employees believe these emails are real, they are engaging with them at alarming rates.”

Telecommunications saw the highest VEC engagement rate of any industry at 71.3%, dwarfing the second-ranked energy/utilities sector at 56%. Sales roles, especially entry-level, were among the most vulnerable, with junior sales staff engaging with read VEC attacks at a rate of 86%.

VEC threats are rising in EMEA

Organisations in this region are particularly susceptible to VEC attacks, despite exercising higher vigilance around business email compromise (BEC) attacks.

For example, in EMEA, the VEC engagement rate exceeds BEC engagement by 90%, and repeat engagement with VEC is the highest of any region, over twice that of BEC. This suggests that employees trust external parties (e.g., vendors) more than internal sources, making them especially vulnerable to vendor impersonation.

Additionally, EMEA-based organisations record the lowest reporting rate for VEC across all regions (0.27%), yet highest reporting for BEC (4.22%).

The reporting deficit in email security

Only 1.46% of text-based advanced email attacks that are read are reported. To put that in perspective, the average monthly text-based advanced attacks received by a mid-market enterprise with 1,500-3,000 employees between March 2024 and March 2025 was approximately 560 per 1,000 mailboxes. That means, every month, there are an estimated 840-1,680 attacks not being reported to the security team. For larger organizations, the number can be much, much higher.

Some employees may believe that as long as they don’t engage with the attacker, they’ve fulfilled their obligation to the organization. But security professionals know that deleting emails without reporting them can be almost as damaging, since it eliminates the SOC team’s chance to investigate, remediate related messages, and take steps to reduce vulnerabilities to similar attacks.

Every time an employee has to decide whether an email is legitimate, the risk of human error enters the equation. And if they’re wrong, cybercriminals won’t hesitate to capitalize and cause financial consequences that ripple across the enterprise.

“While VEC volume remains lower than phishing or ransomware, its success rate—and potential financial impact—is far greater, especially as weaponised AI makes it easier than ever for attackers to impersonate trusted vendors,” Britton added. “To prevent costly human error, organisations must move beyond reactive training and adopt proactive defences that block threats before they reach the inbox.”