Stop Calling It BEC: Why Vendor Email Compromise Demands a New Playbook

For over a decade, Business Email Compromise (BEC) has been a primary concern for CISOs and security teams. But the threat landscape has evolved, and so should our response. 

Social engineering fraud as a whole—spanning phishing, spear phishing, pretexting, smishing, and more—is now expected to cost businesses over $100 billion globally. BEC, while highly visible, represents only a fraction of that larger problem. And even within BEC, the most financially damaging email attacks today are not simple CEO impersonations pressuring employees into wire transfers or a single phishing email slipping through perimeter defenses. 

Instead, they are attacks that originate in the inboxes of an organization’s vendors and third parties. This vendor-focused form of BEC, often called Vendor Email Compromise (VEC), has become the dominant driver of payment fraud.

The Data Is Clear: VEC Is Surpassing Traditional BEC

According to the 2024 AFP Payments Fraud and Control Survey, vendor email fraud now accounts for 45% of BEC-related incidents, up from 34% the previous year. In contrast, executive impersonation, often viewed as the hallmark of classic BEC attacks, has declined by 8%. Invoice fraud, frequently an indication of VEC, has nearly doubled to 24%.

Meanwhile, the FBI’s 2024 IC3 Report confirms that BEC continues to be the most financially devastating cybercrime, with losses exceeding $2.8 billion in the U.S. alone. A growing portion of those losses stem from compromised third-party communications, not internal compromise.

And yet, despite this shift, most organizations still categorize these incidents under the BEC umbrella, as the data also reflects. That classification leads to an equally outdated playbook: one that is solely focused on hardening internal email systems, ramping up phishing training, and deploying advanced inbox protection tools. But none of these stop VEC.

VEC Is Not a Subset of BEC, It’s an Ecosystem Attack

VEC is fundamentally different from the threats most email security tools were built to handle. Rather than breaking into your environment, these attackers gain access to a vendor’s email account, often through phishing, credential stuffing, or a method that meets little resistance. Once inside, they observe communication patterns, invoice trends, and billing relationships.

Eventually, the attacker strikes with a perfectly timed, perfectly legitimate-looking invoice. The message originates from the vendor’s actual email address, often referencing a genuine purchase or billing cycle. But the payment instructions have been silently changed. Since no impersonation or spoofing is involved, VEC evades traditional email defenses. 

There are often no warnings that are triggered. The communication is internal to the vendor and sent legitimately to the organization’s team – usually to accounts payable, treasury, or even ERP-integrated payment processors. For CISOs and security professionals, this creates a blind spot that most internal security controls can’t see. Again, there is no internal compromise, no suspicious login to your systems, and no alert, just a payment quietly rerouted to a fraudulent bank account.

Why Misclassifying VEC Undermines Defense Strategy

Vendor Email Compromise represents the next generation of socially engineered financial fraud. It exploits trust between partners, operates quietly through legitimate channels, and evades most traditional defenses. Labeling VEC under the broad umbrella of  BEC reinforces the misconception that email perimeter security alone is a sufficient defense. In reality, defending against VEC requires cross-department visibility, transaction-level anomaly detection, and ecosystem risk modeling. These capabilities sit well outside the traditional scope of email security solutions.

In many organizations, this means that VEC falls between the cracks of security and finance. Managing vendor onboarding and banking verification can involve several departments including procurement and finance, while CISOs and their teams oversee email protection. VEC exploits both sides of that divide by attacking financial workflows with the legitimacy of trusted communication channels.

Strategies that Work Against VEC

To address this rising threat, security leaders must pivot from inbox-centric protection to fraud prevention strategies that include:

• Deploy behavioral analytics across ERP, Accounts payable, and Treasury systems. Modern fraud prevention tools can flag subtle changes in payment instructions, bank accounts, or invoice timing that deviate from historical baselines – even if the emails themselves appear authentic.
• Leverage vendor trust scoring and dynamic risk models. Just as we evaluate user behavior for anomalies, we must now assess third-party vendors for suspicious activity patterns or known compromises.
• Implement centralized payment change management. Critical banking and invoicing data should be stored and updated only through secured, policy-enforced workflows—not in email threads or shared spreadsheets.
• Cross-check, in real-time, vendor account changes. Using external data sources (e.g., bank verification APIs, sanctions lists, or business identity validation) can further reduce exposure to fraudulent redirection.
• Ensure collaboration between InfoSec and Finance. Fraudulent payments often succeed not because of technical gaps, but because of unaligned responsibilities. A unified approach to vendor risk can close these gaps.

VEC Is a CISO-Level Concern

VEC is not just a financial fraud problem. It’s an enterprise risk that belongs in the CISO’s domain. Attackers are exploiting the increasing complexity of digital supply chains, recognizing that as systems become more interconnected, it becomes harder to enforce controls across them.

CISOs must recognize VEC as a strategic threat and consider it a unique cyber-attack. If VEC is viewed as a BEC attack, security teams and organizations may overlook its unique characteristics and invest in the wrong defenses. These defenses must extend beyond the organization’s borders to include third-party behavior, payment ecosystem processes, and real-time anomaly detection across workflows.

The rise of VEC marks a clear shift in the fraud landscape. It’s quiet, it’s convincing, and it circumvents many of the protections we’ve all spent years perfecting. To keep pace, we must reevaluate the definition of email fraud and align our defenses with the true nature of the threat. 

If you still treat VEC like BEC, you’re defending against the wrong enemy.