The vendor email compromise.
When your real vendor's email gets hacked, the fraud that follows looks perfectly legitimate. Verification policies are the only real defense.
Vendor email compromise is devastating because it's not a fake email — it's a real email, from your real vendor, sent by an attacker who has been living in their inbox for weeks. The tone matches. The history matches. Only one thing is different: the banking details on the next invoice.
Why it's the hardest attack to catch
Every normal red flag is gone. The sender address is real. The thread history is real. The vocabulary matches. The attacker has studied months of prior correspondence. When a small business relies on 'does this email look legit?' as their verification, vendor email compromise walks right through it.
Real incidents
“A law firm's closing attorney had her email compromised. Attackers sent wiring instructions to five clients from her real inbox.”
Red flag: Three clients wired money to the attacker's account. The only one who didn't was the one whose bank required a verbal callback on wire instructions.
“A manufacturing supplier's AR clerk had his email compromised. Attackers changed banking details on the next ten invoices.”
Red flag: Customers paid without calling to verify. $340K lost across the customer base before anyone flagged it.
The only defenses that work
- Verbal callback for any banking or wiring change from a vendor — on a number you already have.
- Strict two-person approval on any change to an existing vendor's payment details.
- When a vendor says their email may have been compromised, rotate passwords and MFA on your systems — attackers often pivoted into yours first.
- Monitor for replies to old email threads — a classic VEC technique is to resurrect an old thread.
- DMARC with strict policy — blocks lookalike domain variants of your vendors.
We help with wire policies.
A one-page wire-verification SOP stops vendor email compromise. Ask us for a template.
- 1Require a verbal callback for any banking or wire change from a vendor, regardless of history.
- 2Use a phone number you have on file — never the one in the email.
- 3If a vendor announces a breach, rotate passwords and MFA on systems they interact with.
- 4Train AP staff specifically on vendor email compromise — it doesn't look like phishing.
- 5Ask your critical vendors about their email security — do they use MFA, DMARC, and monitoring?
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Verify before you wire.
Wire fraud is the fastest-growing financial attack on small businesses. The fix is a 90-second phone call before the money moves.
ReadTip #8 · Social engineeringThe fake CEO email.
Gift cards, wire changes, W-2 forms, payroll routing — all the classic CEO-impersonation scams. One callback habit kills every variant.
Read