Explainer
BEC vs. VEC: What finance teams need to know in 2026
Published Apr 13, 2026 · Updated May 15, 2026 · About 12 min read
Most finance teams know business email compromise. Almost none have heard of vendor email compromise — the variant now responsible for 61% of all BEC attacks in Q1 2026. That gap in awareness is exactly why VEC works.
Q1 2026 data
61%
of all business email compromise attacks now use vendor email compromise techniques — up from 43% in 2024. BEC attacks hit 10.7 million total in Q1 2026, a 26% increase from Q4 2025.
Sources: Microsoft Q1 2026 Email Threat Landscape Report (April 30, 2026); FBI IC3 2025 Annual Report
First: what is BEC?
Business email compromise is the broadest category. An attacker impersonates a trusted party — a CEO, a finance director, an IT vendor — and uses that impersonation to trigger a fraudulent payment or data transfer. The FBI tracks it as the highest-loss cybercrime category it monitors: more than $2.9 billion in reported losses in 2024 alone, and the actual figure is believed to be three to five times higher due to unreported incidents.
Most finance teams have BEC awareness. They know to be skeptical of urgent wires from the CFO, to call back before changing a vendor account, and to watch for lookalike domains. That awareness is real — and it has pushed attackers to evolve.
What is vendor email compromise — and why is it different?
Vendor email compromise (VEC) is a specific category of BEC where the attacker does not impersonate an internal executive. They impersonate — or directly compromise — an external vendor.
The distinction matters more than it sounds. When an attacker spoofs your CFO, there are signals your team can catch: the request feels unusual, the urgency is out of character, the sender domain is slightly wrong. When an attacker sends a payment-change request from the actual email address of a vendor you have paid reliably for three years, none of those signals fire. The request looks exactly like every other invoice update from that vendor — because it is coming from their real inbox.
VEC attacks typically proceed in three phases:
- Vendor account compromise. The attacker breaches the vendor's email system — often through a phishing attack on the vendor, or by purchasing credentials from a prior data breach. They monitor the inbox silently, sometimes for weeks, mapping payment relationships and learning invoice timing.
- Targeting the payment window. The attacker identifies an upcoming, expected payment — a recurring invoice, a milestone payment on a project, a renewal. They wait until the timing is right, then send a payment-detail update from the compromised inbox.
- Rerouting the payment. The update looks routine. It comes from the right sender, references the right project, arrives at the right time. The only thing that has changed is the destination bank account. By the time the fraud is discovered — typically when the real vendor follows up on a missing payment — the funds have moved through multiple accounts and recovery is nearly impossible.
Why VEC is more dangerous for AP teams than classic BEC
The controls finance teams have built for BEC often do not apply to VEC. Here is where each defense breaks down:
| Defense | Works against BEC? | Works against VEC? | Why it fails |
|---|---|---|---|
| Verify sender domain | Yes | No | VEC uses the real domain — no lookalike to catch |
| Call-back policy for unusual requests | Yes | Partial | Request does not feel unusual — it matches the vendor relationship |
| Dual approval on large wires | Yes | No | Both approvers see a valid invoice from a known vendor |
| Email security gateway (DMARC, DKIM) | Yes | No | Legitimate email from a compromised but authenticated inbox passes all checks |
| Bank account verification at onboarding | Yes | No | VEC attacks a mid-relationship account change, not a new vendor setup |
The core problem is that every standard control treats the vendor relationship as the trust anchor. VEC attacks that anchor directly. The request comes from a trusted source at a trusted time in a trusted format. The only detectable signal is in the payment destination — a bank account that has never received money from your company before.
The red flags that do not look like red flags
VEC attacks are designed to feel routine. But there are behavioral patterns that distinguish a vendor email compromise from a legitimate account update — if your team knows what to look for:
- Bank account change requests that arrive before a known payment. Attackers who have been monitoring the vendor inbox know your payment schedule. A "new banking details" email that arrives 3–5 days before a major payment is a pattern worth scrutinizing independently of any other signals.
- New beneficiary country or bank type with no prior history. If your vendor has always received ACH payments to a US community bank and now requests a wire to a foreign institution, that shift should trigger out-of-band verification even if everything else looks legitimate.
- Slight changes in email writing style or signature format. An attacker who has read hundreds of emails from a vendor inbox will mimic the tone well — but subtle shifts in greeting style, formatting, or signature details can signal a different author.
- Urgency framing that is unusual for this specific vendor. Not all urgency is a red flag — some vendors genuinely have time-sensitive requests. But urgency that is out of pattern for this particular relationship (a vendor who has never pushed before suddenly citing a hard deadline) is worth a phone call.
- Missing reference to prior payment history. Legitimate vendors updating banking details often reference their existing relationship context. VEC attackers sometimes omit this because they are focused on the action request, not the relationship context.
What the numbers say about VEC in 2026
The shift toward VEC is not gradual — it is structural. As BEC defenses improved at the impersonation layer, attackers moved upstream to compromise the vendors themselves. The Q1 2026 data reflects that shift:
- BEC attacks reached 10.7 million incidents in Q1 2026, a 26% increase from Q4 2025 (Microsoft Q1 2026 Email Threat Landscape Report).
- 61% of those attacks used VEC techniques — meaning the fraudulent communication originated from a real or convincingly compromised vendor identity rather than an internal impersonation.
- 59% of successful attacks in 2026 used multiple tactics to bypass finance and security controls simultaneously, combining VEC with invoice manipulation, urgency pressure, or multi-channel follow-up.
- The average loss per VEC incident is higher than classic BEC because the fraud targets expected high-value payments rather than ad-hoc requests — giving attackers a natural ceiling to exploit.
The practical implication: if your fraud controls were designed around BEC, you are now under-defended against the majority attack vector. This is not a hypothetical future risk. It is the current distribution of actual attacks.
How accounting firms and finance teams should respond
Defending against VEC requires a different control layer than defending against classic BEC — one that focuses on the payment destination rather than the sender identity.
1. Treat every bank account change as a high-risk event
Regardless of how the request arrives or who it appears to be from, any change to a vendor's payment destination should require out-of-band verification — a phone call to a number on file, not a number in the email. This is the single highest-impact control for VEC. It does not require new technology; it requires a policy that is actually enforced.
2. Verify new payment destinations against historical behavior
If your AP system or fraud platform can flag when a payment is routing to a bank account that has never previously received money from your organization, that check catches VEC even when the sender looks fully legitimate. This behavioral check — does this beneficiary have a history with us? — is the control that email authentication cannot provide.
3. Build vendor relationship fingerprinting into your workflow
Authentic vendor relationships leave patterns: consistent invoice amounts, consistent payment timing, consistent banking details over time. When any of those patterns break — a new account number, a different payment method, an unusual amount — that deviation is a signal worth investigating before the payment processes. This is distinct from checking whether the email looks legitimate; it checks whether the payment destination is consistent with the real relationship.
4. Update your team's mental model of what fraud looks like
The single most effective thing a finance team can do this week costs nothing: share what VEC is with your AP staff. The reason VEC works is that most finance teams have never heard the term. Once your team understands that a request from a trusted vendor email can still be fraudulent — because the vendor was themselves compromised — they apply a different level of scrutiny to payment-change requests regardless of how familiar the sender looks.
BEC vs. VEC: a clear comparison
| Factor | BEC | VEC |
|---|---|---|
| Who is impersonated | Internal executive, employee, or IT contact | External vendor or supplier |
| Email origin | Spoofed or lookalike domain | Often the real, compromised vendor inbox |
| Primary trigger | Urgency or authority pressure | Routine payment-change or invoice update |
| Detectable by email security tools | Often yes | Rarely |
| Stopped by dual-approval policy | Often yes | Rarely |
| Best defense layer | Identity + approval controls | Payment-destination verification + behavior anomaly detection |
| Share of BEC attacks in Q1 2026 | 39% | 61% |
What to do this week
You do not need to overhaul your AP controls overnight. But there are three things worth doing in the next five business days:
- Brief your AP team on VEC. Share this post, or forward the stat: 61% of BEC attacks now originate from vendor accounts, not internal impersonations. Awareness changes behavior without any technology.
- Audit your bank account change policy. Is there a written procedure that requires out-of-band confirmation for every beneficiary change — even from known vendors? If not, there should be.
- Identify which vendors represent the highest payment risk. If a vendor receives irregular large payments and has no additional verification in your workflow, that relationship is the highest-value target for a VEC attack.
For a deeper look at how these attacks connect to your overall AP fraud exposure, read how BEC attacks target accounting firms and why pre-approved fraud passes standard AP controls.
Stop fraudulent payments before the wire leaves
Vantirs verifies vendor payment instructions and flags new or changed beneficiaries before your AP team approves a payment — catching VEC at the only moment it can be stopped: before the money moves.