Explainer
BEC vs VEC for accounting firms: what changes in your fraud controls
Published Apr 13, 2026 · About 7 min read
BEC and VEC are often grouped together, but they are not the same attack. If your team treats them as one category, your controls can miss the highest-risk scenario: fraudulent payment changes sent from a real vendor mailbox.
Quick definitions
- BEC (Business Email Compromise): attacker impersonates an executive, employee, or financial contact to trigger fraudulent payment action.
- VEC (Vendor Email Compromise): attacker uses a compromised or impersonated vendor identity to request payment-detail changes or reroute funds.
Why VEC is often more dangerous in AP workflows
BEC messages can sometimes be caught through sender anomalies or policy controls. VEC attacks are harder because the request appears to come from a trusted vendor relationship. The payment context is valid. The invoice can look normal. Only the routing outcome is fraudulent.
This is why vendor bank-detail changes should be treated as high-risk events, even when communication feels routine.
Controls that map to each attack type
| Attack type | Primary risk | Best control |
|---|---|---|
| BEC | Impersonated authority and urgent request | Escalation policy plus role-based approval controls |
| VEC | Fraudulent beneficiary or account update | Out-of-band bank verification plus behavior-based anomaly detection |
For a deeper workflow model, see how pre-approved fraud passes AP controls.
Build BEC and VEC controls into one AP workflow
Vantirs helps accounting firms verify vendor payment instructions and flag suspicious changes before payment release.