Employees Still Vulnerable to Vendor Email Scams
▼ Summary
– Attackers attempted to steal over $300 million via vendor email compromise (VEC) in 12 months, with 7% of engagements from employees who interacted with prior attacks.
– Employees in large organizations (50,000+ staff) struggle most with VEC, with 72% of those who read VEC messages engaging further (e.g., replying or forwarding).
– Telecommunications had the highest VEC engagement rate (71.3%), and entry-level sales roles were most vulnerable (86% engagement).
– EMEA organizations are highly susceptible to VEC, with engagement rates 90% higher than BEC and the lowest reporting rate (0.27%) for VEC globally.
– Only 1.46% of text-based advanced email attacks are reported, leaving thousands unreported monthly, highlighting a critical gap in email security.
Businesses continue to lose millions annually due to sophisticated vendor email scams, with employees often failing to recognize fraudulent messages disguised as legitimate vendor communications. Recent data reveals cybercriminals attempted to steal over $300 million through vendor email compromise (VEC) attacks in just one year, with a concerning 7% of victims having previously interacted with similar scams.
Larger organizations face heightened risks, as employees in companies with 50,000+ staff show the highest likelihood of engaging with fraudulent vendor emails. Shockingly, 72% of employees at major enterprises who opened a VEC message took further action—replying, forwarding, or following embedded instructions.
Mike Britton, CIO at Abnormal AI, warns that attackers now craft near-perfect impersonations of trusted vendors, bypassing traditional email security measures. “These scams exploit employee trust, leading to alarmingly high engagement rates,” he explains.
Telecommunications firms are prime targets, with a staggering 71.3% engagement rate—far outpacing the energy sector at 56%. Entry-level sales professionals prove especially vulnerable, with junior staff engaging with fraudulent emails 86% of the time.
EMEA businesses face unique challenges, exhibiting the highest repeat engagement with VEC attacks—double that of business email compromise (BEC) scams. Paradoxically, while EMEA organizations report BEC threats at a 4.22% rate, VEC incidents go largely unreported, with only 0.27% flagged to security teams.
A critical reporting gap persists across industries, with just 1.46% of advanced email threats being reported after being read. Mid-sized enterprises receive roughly 560 sophisticated attacks monthly per 1,000 mailboxes, meaning hundreds of threats slip through undetected. Larger corporations face exponentially higher volumes.
Many employees mistakenly believe ignoring suspicious emails suffices, but security experts stress that failing to report threats prevents IT teams from investigating patterns and strengthening defenses. “Every unreported attack represents a missed opportunity to prevent future breaches,” Britton notes.
With AI-powered scams making vendor impersonation more convincing than ever, organizations must shift from reactive training to preemptive security measures that intercept threats before they reach employees. The financial stakes have never been higher—while VEC attacks occur less frequently than phishing, their success rate and potential damage far exceed other email-based threats.
(Source: HELPNET SECURITY)
