Vendor Email Compromise (VEC): How to Detect, Prevent, and Protect Your Business

Vendor email compromise (VEC), also known as supply chain compromise, is a rapidly growing cyber threat that targets businesses through trusted vendor relationships. Unlike traditional business email compromise (BEC) scams, VEC attacks primarily target external partners and suppliers, making them more challenging to detect. This post explains what VEC is, why it succeeds, and how to protect your organization.

What Is Vendor Email Compromise (VEC)?

Vendor email compromise occurs when cybercriminals impersonate or compromise a vendor’s email account to deceive businesses. These attacks aim to:

• Divert payments
• Steal sensitive data
• Gain unauthorized access to systems

Unlike BEC scams, which typically impersonate internal executives, VEC attacks exploit the trust businesses place in their vendors and suppliers.

How Do Vendor Email Compromise Attacks Work?

A typical VEC attack unfolds in four stages:

Stage 1: Initial Compromise. Attackers gain access to a vendor’s email account through phishing, credential stuffing, or by using lookalike domains.

Stage 2: Information Gathering. Cybercriminals conduct reconnaissance, analyzing vendor-client interactions and collecting sensitive information, such as payment schedules and authorized personnel details.

Stage 3: Account Takeover. Forwarding rules are set up in the compromised account, allowing attackers to monitor communications undetected.

Stage 4: Attack Execution. Fraudulent emails are sent to clients, requesting payment changes or credential verification using language and timing that appear legitimate.

Why Are VEC Attacks Effective?

These attacks succeed because of the following reasons:

• They exploit trust. Employees expect routine vendor communications about invoices and payments.
• They have few red flags. Emails often come from legitimate accounts, making detection difficult.
• They bypass traditional defenses. Email gateways may not flag these messages because they lack typical phishing indicators.

What Are the Risks and Impact of VEC Attacks?

Potential VEC risks and impacts include the following:

• Financial losses: Payment diversion and invoice fraud
• Operational disruptions: Supply chain interruptions
• Reputational damage: Loss of trust among clients and partners
• Regulatory consequences: Potential fines and lawsuits for noncompliance

How Can Vendor Email Compromise Be Prevented?

Organizations can take the following steps to reduce the potential for being victimized:

• Implement technical safeguards. Use email authentication protocols like SPF, DKIM, and DMARC to verify sender identity and block spoofed domains.
• Deploy behavioral monitoring tools. AI-driven tools can detect anomalies in communication patterns and flag suspicious emails.
• Establish vendor verification procedures. Verify any requests involving sensitive data or payment changes through secure portals or direct phone calls.
• Monitor vendor security posture. Use vendor risk management tools to assess and track vendor cybersecurity practices.
• Train employees. Provide role-specific training on VEC tactics and emphasize the importance of verifying unusual requests.

Are VEC Attacks Covered by Insurance?

Both cyber and crime insurance policies can provide coverage for direct financial losses stemming from fraudulent fund transfers, invoice manipulation and payment diversion. However, coverage depends on a policy’s specific wording.

• Cyber policies typically cover incident response and regulatory liabilities.
• Crime policies are often better suited for direct financial losses from fraudulent payment instructions, especially with social engineering endorsements.

Some policies may only be triggered by a direct breach of system security and may not extend to situations where employees are misled into taking fraudulent actions, such as authorizing payments in VEC attacks. Some policies may not respond when employees voluntarily send funds unless specific social engineering or fraudulent instruction endorsements are in place. An experienced insurance broker can ensure that cyber and crime insurance policies complement each other, identify coverage gaps, and suggest specific endorsements (e.g., social engineering fraud) to ensure robust financial protection against VEC attacks and other deception-based threats. Brokers can also support organizations throughout the claims process, potentially helping to achieve faster resolution of coverage determinations and claim settlements.

Contact us today for additional guidance on cyber risk management.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.