{
	"id": "3f1b6760-47a2-43c2-827c-a6ae9756af79",
	"created_at": "2026-04-06T00:16:40.703584Z",
	"updated_at": "2026-04-10T03:21:49.379762Z",
	"deleted_at": null,
	"sha1_hash": "2ef4ce257bf3e4637c411d89645f057848179f62",
	"title": "What is vendor email compromise (VEC)?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45195,
	"plain_text": "What is vendor email compromise (VEC)?\r\nArchived: 2026-04-05 23:45:54 UTC\r\nWhat is vendor email compromise (VEC)?\r\nVendor email compromise, also referred to as “financial supply chain compromise”, is a targeted type of business\r\nemail compromise (BEC) attack in which attackers impersonate a third-party vendor in order to steal from that\r\nvendor’s customers. Vendors often work with a variety of customers — by compromising and impersonating the\r\nvendor, attackers can persuade multiple targets to give up money or sensitive information.\r\nWhat is business email compromise?\r\nBusiness email compromise (BEC) is a type of social engineering attack that takes over the victim’s emails. In a\r\nBEC attack, the attacker falsifies an email message through plain text to trick the victim into a predetermined set\r\nof actions, such as revealing sensitive data.\r\nBEC is notable in that it often targets a specific individual within an organization. BEC is often difficult to detect.\r\nThe emails can easily go unnoticed by traditional email security solutions because they do not contain malware,\r\nmalicious links, dangerous email attachments or other elements the email security solution uses to filter and\r\nidentify phishing emails. BEC emails use plain text carefully designed and crafted to trick the recipient and to\r\navoid existing security techstack. The emails are typically phrased in a way that mimics the tone and content of\r\ntrusted senders such as coworkers or CEO, which helps trick the recipient into engaging with them.\r\nWhile vendor email compromise attacks are a type of BEC attack, they are not necessarily the same. A typical\r\nBEC attack campaign targets a personal or executive to obtain confidential information, while a vendor email\r\ncompromise campaign typically requires a greater understanding of existing business relationships, such as\r\npayment structures, financial information and existing vendor-client processes. The research process of a vendor\r\nemail compromise may take weeks to months and the potential payoff for the attacker is far greater.\r\nHow do vendor email compromise attacks unfold?\r\nVendor email compromise attacks are sophisticated, complex, and hard to detect. They can take months, if not\r\nyears, to design, infiltrate, and fully implement. However, there are common steps to every vendor email\r\ncompromise attack:\r\n1. Conduct in-depth research on the vendor and their client base. Using publicly available information,\r\nattackers will learn about their target vendor’s employees, customers, work processes, billing cycles, and\r\nother facts. This process may take weeks or months to complete, but the research ultimately helps the\r\nattacker impersonate the defender more convincingly\r\n2. Sending phishing emails to the vendor. Before carrying out attacks against their final targets, attackers\r\nmust first obtain access to the targeted vendor’s email account. To do this, attackers often send several\r\nphishing emails to the vendor that contain malicious links.\r\nhttps://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.\r\nPage 1 of 3\n\n3. Take over the compromised account. Once attackers gain access to the vendor’s email account, they\r\ncreate email forwarding rules to send relevant email copies to the attacker’s inbox. From here, the attacker\r\nwill monitor the inbox for pertinent financial information such as bank account, invoice details, and\r\npayment schedules.\r\n4. Send targeted vendor email attacks to the vendor’s customers. The last step is to design a highly\r\nsophisticated and hard to detect spear phishing campaign email to the vendor’s customers, typically around\r\nthe time of billing. Using the information gleaned from the research phase, attackers typically try to\r\npersuade their victims that they owe the vendor money, and to send the supposedly ‘required payment’ to\r\nthe attacker’s account.\r\nWhat are the consequences of a vendor email compromise attack?\r\nVendor email compromise campaigns affect two different victims — the compromised vendor, and the vendor’s\r\ncustomers or suppliers.\r\nCompromised vendors may experience reputational damage and financial losses in the form of misdirected\r\npayments. The attacker can gain access to funds meant for the vendor by redirecting client payments to an attacker\r\nspecified account. And once the attack campaign is discovered, the vendor’s reputation may take a hit due to fears\r\nthat an existing or potential client’s private data will be exposed.\r\nIn addition, the “final” targets – the clients or suppliers targeted from the compromised vendor account – may\r\nsuffer steep financial losses, loss of service, and a jeopardized supply chain.\r\nOne example of a vendor email compromise attack is the December 2020 attack on nonprofit One Treasure Island.\r\nAttackers impersonated a third-party bookkeeper, infiltrated existing email chains, and sent a payment transfer\r\nrequest email with alternative wire transfer instructions. One Treasure Island staff member transferred a large\r\npayment meant for the partner into the attacker’s account, losing $650,000. This attack led to financial losses, loss\r\nof service and a jeopardized vendor for One Treasure Island, and reputational and financial loss for the\r\ncompromised third-party bookkeeper.\r\nHow can Cloudflare prevent vendor email compromise?\r\nCloudflare Email Security protects against a wide range of attacks, including preventing sophisticated and hard-to-detect targeted vendor email compromise campaigns. This advanced email protection is powered by Cloudflare’s\r\nglobal network, which blocks an average of 86 billion threats a day. As part of the Cloudflare SASE platform, it\r\nhelps provide continuous, comprehensive security and makes it easy for vendors and organizations to enforce\r\nsecure, cloud-native, on-premise security solutions.\r\nFAQs\r\nWhat is vendor email compromise (VEC)?\r\nVendor email compromise, also known as financial supply chain compromise, is a sophisticated and targeted type\r\nof business email compromise (BEC) attack. In a VEC attack, an attacker impersonates a third-party vendor to\r\nhttps://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.\r\nPage 2 of 3\n\ntrick that vendor's customers into sending money or sensitive information to the attacker.\r\nHow does a vendor email compromise attack work?\r\nThese attacks are multi-staged and can take months to execute. First, the attacker conducts in-depth research on\r\nthe target vendor and their clients. Next, the attacker has to successfully phish the vendor to take over their\r\naccount. Once inside the vendor's email account, the attacker sets up forwarding rules to monitor financial\r\ninformation, like invoices and payment schedules. Around a billing cycle, the attacker uses the compromised\r\naccount to send spear phishing emails to the vendor's customers.\r\nWhat are the consequences of a VEC attack?\r\nA VEC attack impacts both the compromised vendor and their customers. The vendor can suffer significant\r\nreputational damage and financial loss from misdirected payments. The vendor's customers can also face steep\r\nfinancial losses, service disruptions, and a jeopardized supply chain.\r\nHow can organizations prevent vendor email compromise?\r\nAdvanced email security solutions can protect against these sophisticated attacks. For instance, Cloudflare Email\r\nSecurity uses its global threat intelligence network to detect and block VEC campaigns. This type of solution can\r\nbe part of a broader zero trust security platform that provides comprehensive protection for an organization's cloud\r\nand on-premises systems.\r\nHow is VEC different from BEC?\r\nVendor email compromise (VEC) is a type of business email compromise (BEC) attack. However, a VEC attack\r\noften has more layers to it than a typical BEC attack. A BEC attack may directly target a business or an individual,\r\nwhile a VEC attack first targets a vendor, then targets the vendor's customers.\r\nSource: https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2\r\nC%20also%20referred,steal%20from%20that%20vendor%27s%20customers.\r\nhttps://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers.\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers."
	],
	"report_names": [
		"#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers."
	],
	"threat_actors": [],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ef4ce257bf3e4637c411d89645f057848179f62.pdf",
		"text": "https://archive.orkl.eu/2ef4ce257bf3e4637c411d89645f057848179f62.txt",
		"img": "https://archive.orkl.eu/2ef4ce257bf3e4637c411d89645f057848179f62.jpg"
	}
}