Vendor Email Compromise (VEC)

Most companies trust their vendors.
They trust their invoices, their email addresses, their payment instructions, their tone, their timing.

Attackers know this — and they exploit it.

Vendor Email Compromise (VEC) is when attackers break into a vendor’s email account and use it to send fraudulent invoices or payment instructions to the vendor’s customers.

It’s not spoofing.
It’s not impersonation.
It’s the real vendor’s account — controlled by an attacker.

Think of it like a delivery driver you’ve known for years suddenly handing you a package with the wrong address.
You trust the uniform, the truck, the routine — so you don’t question the details.

Digitally, VEC often involves:

compromising a vendor’s email account
monitoring real conversations
studying invoice patterns
inserting fraudulent payment instructions at the perfect moment
updating bank account details on legitimate invoices
using rules to hide sent/received messages
avoiding detection for weeks or months

Once inside the vendor’s account, attackers can:

send real invoices with fake banking details
redirect large payments
impersonate vendor staff
alter contracts or purchase orders
pivot into the customer’s environment
launch Business Email Compromise (BEC)
deploy ransomware after the fraud

Why this matters for insurance:
VEC is one of the fastest‑growing and most expensive cybercrime categories.

Losses often include:

six‑figure vendor payments
multi‑million‑dollar construction draws
fraudulent international transfers
cascading supply‑chain losses
legal disputes over who is liable

And because the email comes from the real vendor account, victims often don’t realize anything is wrong until the vendor asks,
“Why haven’t you paid us?”

The takeaway:
VEC is BEC’s more patient, more strategic cousin.
It succeeds because companies trust their vendors — and attackers weaponize that trust.

🎬 Pop Culture Parallel

In Ocean’s Eleven, the crew infiltrates legitimate systems and waits for the perfect moment to redirect the money flow. VEC works the same way — the attacker sits quietly inside a real account until the timing is perfect.

📺 K‑Drama Parallel

In Reborn Rich, entire fortunes shift because trusted partners manipulate financial flows from inside the system. That’s VEC: the betrayal doesn’t come from an outsider — it comes from someone who already has access.

📚 Novel / Non‑Fiction Parallel

In Sandworm, attackers infiltrate trusted infrastructure and wait patiently before striking, showing how dangerous long‑term access can be.
And in Ghost in the Wires, Kevin Mitnick describes how attackers exploit trust relationships between organizations — the same dynamic VEC weaponizes.

Both stories highlight the same truth: the most damaging attacks come from inside trusted channels.

Vocabulary Reinforcement (from earlier posts)

Business Email Compromise (BEC)
Email Spoofing
Domain Impersonation
Account Takeover (ATO)
Phishing
Privilege Escalation
EDR
SIEM

Relevant Designations

AINS, CPCU, ARM, AU, Cyber‑specific designations (e.g., CCIC, CCBP)

Previous Episode:
42. Business Email Compromise ←

Next Episode:
44. Invoice Fraud →

Browse the Series:
View all Cyber in Plain English episodes →

Cyber Orientation Hub:
Explore the full Cyber Orientation hub →

Learn more at https://insurancedesignationlookup.com/cyber-orientation/
#CyberForInsurance #CyberInPlainEnglish #LettersForSuccess