Articles & Thought Leadership | 6 min read

How Vendor Email Compromise Works


Lauryn Cash
Lauryn Cash

Vendor Email Compromise is a refined attack that builds upon BEC techniques to defraud organizations. Discover what a VEC attack looks like in action.

How Vendor Email Compromise Works

Vendor Email Compromise (VEC) is a type of social engineering attack where a cybercriminal impersonates a trusted vendor for financial gain. VEC attacks are elaborate, sophisticated, and take place over days or weeks to establish trust and remain undetected.

Wondering why VEC attacks are so hard for traditional security systems to catch? This article will break down the lifecycle of a VEC attack so you know the signs to look out for.

How Vendor Email Compromise Works

With VEC attacks, an attacker first steals the credentials of one or more employees. Then they learn about the organization by reading emails from the compromised accounts. Thus, VEC attacks have two phases: dormant and active.

In the dormant phase, the attacker quietly steals credentials and logs in from an innocuous location or IP address to set up mail forwarding rules. Unfortunately, this phase is difficult to spot since there isn’t much suspicious activity to detect yet.

In the active phase, the attacker creates a fake domain name and waits for a financial transaction. The attacker then inserts new bank details into existing email threads and awaits payment. After receiving payment, funds are immediately transferred to other accounts to avoid traceability.

Read more: 4 Vendor Fraud Red Flags to Watch Out For

The Lifecycle of a VEC Attack

Vendor Email Compromise attacks take time, with successful attacks often unfolding over a period of weeks. Here is a sample VEC attack timeline.

VEC attack timeline

Day 0

  • The attacker steals the credentials of an employee in the Accounts Receivable department at Company A through a phishing link,
  • The attacker signs into Jane’s email address and deletes any evidence of the phishing email that compromised her. 
  • The attacker then sets up a mail forwarding rule in Jane’s account that auto-forwards all emails to a mailbox created for this purpose.

Day 1 - 14

  • The attacker reads all emails in Jane’s inbox to understand the organization’s email workflows and identify high-value targets for compromise.

Day 15

  • A legitimate vendor transaction comes into play, and Jane does her job as usual.

Example of vendor email compromise in a dormant phase

Day 16

Now the compromise enters its active phase.

  • The attacker is aware of this active invoice payment request and registers the domain “”
    Note: Spoofing a domain as a separate internal domain of Company A may be more successful for fraudsters than other domain look-alike attempts in the past.
    For example, if the attacker registered a domain like “” with the “r” and “n” closely mirroring an “m,” and the recipient caught this inconsistency, the gig would be up. On the other hand, a domain spoof of a likely internal domain is easier to justify in some cases.
  • The attacker sends an email from, with the original thread below the message.

Email example of vendor email compromise in active phase

  • The attacker sends another email from, with the original thread below the message to add additional credibility.

Second example of vendor email compromise

Why Vendor Email Compromise Attacks Are Often Successful

The added danger in vendor email compromise is clear. However, unlike the three weaknesses of a Business Email Compromise attack, VEC attacks have an answer for each drawback:

  • BEC WEAKNESS: The attacker is the one that must initiate the first email, which elicits suspicion among the recipients.
  • VEC STRENGTH: The attacker no longer needs to initiate an attack, as they can merely insert themselves (and their bank credentials) into a legitimate business transaction.
  • BEC WEAKNESS: A fresh employee may feel the need to verify with a coworker or direct manager the proper protocol for corporate financial changes and transactions. Introducing a second or third pair of eyes on the request can quickly defuse the situation as a hoax.
  • VEC STRENGTH: An attacker gains additional knowledge of a target organization’s best practices, standard operating procedures, writing styles, common apps, file types, social engineering, and a timeline of when VIPs may be out of office. As a result, the victims of these attacks usually don’t suspect anything nefarious because messages sent by the attacker so closely mirror what a typical employee would do or say.
  • BEC WEAKNESS: The executive may be in the same office as the victim. If the victim has face-to-face communication with the VIP, the attack can implode.
  • VEC STRENGTH: Because VECs usually occur with third-party vendors, the chances of a victim bumping into them in person are extremely low.

To learn how Armorblox stops VEC attacks, take a 5-minute product tour below.

Take 5-min product tour

Experience the Armorblox Difference

Get a Demo