Cybersecurity Glossary

What Is Vendor Email Compromise?

Vendor email compromise is a targeted fraud tactic where attackers impersonate or compromise a supplier, contractor, or service provider to manipulate invoices, payments, purchase orders, or business approvals.

Learn More

Glossary Index Phishing & Social Engineering

Short definition

Vendor email compromise, often shortened to VEC, is a form of business email compromise that abuses trusted vendor relationships. The attacker may use a compromised supplier mailbox, lookalike domain, spoofed sender, or convincing invoice request to redirect money or collect sensitive information.

At a glance: The message may look like normal vendor communication. The risk is the requested change, especially new payment details, urgent invoices, or process exceptions.

Vendor Email Compromise Meaning

Vendor email compromise focuses on the trust that already exists between a company and its suppliers. Attackers know that invoice updates, contract questions, payment timing, and purchase orders are normal parts of business.

A VEC attack may begin when a vendor mailbox is compromised. The attacker can read real threads, learn invoice schedules, and send a request from a real account. Other attacks imitate the vendor with a lookalike domain, display name, or spoofed sender.

The goal is usually financial, but the attack can also target tax records, customer data, credentials, or account access. A fake vendor request may ask finance to change bank information, ask procurement to approve a new document, or ask an employee to open a malicious file.

Vendor email compromise is closely related to business email compromise, but the pretext centers on supplier and third-party relationships.

How Vendor Email Compromise Works

Vendor email compromise usually follows a real business workflow closely enough to avoid suspicion.

The attacker identifies a vendor relationship. They may use public supplier lists, breached email threads, invoices, procurement records, or compromised mailboxes.
A vendor identity is abused. The attacker may send from a compromised vendor account, register a lookalike domain, or spoof a familiar display name.
The request fits a normal process. The message may reference invoices, banking changes, remittance details, purchase orders, tax forms, or contract documents.
A change or action is requested. Targets may be asked to update payment details, send funds, open a file, approve a purchase, or share business data.
Discovery is delayed. The attacker may time the request near a real invoice cycle or use an email thread that looks legitimate.

Common Vendor Email Compromise Examples

VEC attacks often look like ordinary finance, procurement, or vendor management work.

Bank account change: A supplier appears to send updated ACH or wire instructions before an invoice is paid.
Fake invoice attachment: A message includes an invoice or purchase order file that leads to malware or credential theft.
Compromised thread reply: An attacker replies inside a real vendor conversation with altered payment details.
Lookalike supplier domain: A domain with one changed character imitates a known vendor and requests urgent processing.
Tax or onboarding request: A fake vendor representative asks for W-9 forms, account data, or portal credentials.

Why Vendor Email Compromise Matters

Vendor email compromise matters because organizations rely on external relationships to move money and keep operations running. Employees may naturally trust a known supplier, especially inside an existing conversation.

The financial impact can be large when a payment is redirected, but the damage can also include exposed vendor portals, compromised documents, disrupted supplier relationships, and follow-on attacks against customers or partners.

VEC risk grows when vendor changes can be approved by email alone. Strong verification and approval workflows reduce the chance that one convincing message can change payment or access details.

How to Reduce Vendor Email Compromise Risk

The best controls protect vendor onboarding, payment changes, and invoice workflows.

Verify payment changes out of band. Use a known phone number, vendor portal, or approved contact before changing banking details.
Separate requests from approvals. Email can start a request, but payment changes should require documented approval in a trusted workflow.
Watch for domain and thread changes. Train users to check sender domains, reply-to addresses, altered signatures, and unusual thread behavior.
Protect vendor portals. Use MFA, least privilege, and monitoring for procurement, invoice, and payment systems.
Create a vendor escalation path. Finance and procurement teams should know exactly how to verify suspicious requests without slowing legitimate work.

What to Do After Suspected Vendor Email Compromise

Fast coordination can reduce financial loss and stop related attacks.

Pause the transaction. Stop pending payments or account changes until the request is verified.
Contact the vendor through a known channel. Use an existing trusted phone number or portal, not the suspicious email thread.
Preserve evidence. Collect headers, invoices, attachments, domains, URLs, payment details, and conversation history.
Review exposed systems. Check whether credentials, vendor portals, payment systems, or mailboxes were accessed.

Related Vendor Email Compromise Terms

Vendor email compromise is a focused form of business email compromise and payment-process abuse.

Business Email Compromise covers the broader category of trusted-business email fraud.
Email Spoofing explains how sender identity can be forged or misrepresented.
Domain Spoofing covers domain tricks used to imitate trusted organizations.

Vendor Email Compromise Takeaway

Vendor email compromise succeeds when a fake or compromised vendor message can change a real business process. The safest control is independent verification before payment or account details change.

Finance, procurement, and vendor management teams should treat new banking details, urgent invoice changes, and unusual attachments as verification triggers.

Navigation

Back to Glossary View Category

FAQ

Questions Teams Ask About Vendor Email Compromise

Quick answers about VEC, vendor impersonation, invoice fraud, payment verification, and supplier workflows.

What is vendor email compromise?

Vendor email compromise is fraud that abuses a trusted supplier relationship through fake, spoofed, or compromised vendor email communication.

How is VEC different from BEC?

Vendor email compromise is a focused form of business email compromise where the pretext centers on suppliers, invoices, purchase orders, and payment changes.

What is the biggest warning sign of VEC?

A request to change payment details, rush an invoice, open an unexpected file, or bypass normal vendor procedures should trigger verification.

How can finance teams prevent vendor email compromise?

Use trusted-channel verification, multi-person approval, vendor portal controls, MFA, and clear procedures for payment or account changes.

Simulate realistic phishing attacks at the speed of AI, train users, and measure risk with AI Powered Insights.