Abnormal AI’s 2026 Attack Landscape Report, published in April, analyzed nearly 800,000 email attacks across more than 4,600 organizations during the second half of 2025. One finding in particular is worth pausing on: 61% of all business email compromise incidents in that dataset were vendor-related. The majority of BEC is no longer about impersonating a CEO. It is about impersonating a supplier.
That shift has direct consequences for how organizations think about email authentication – and about what DMARC can and cannot do.
What Vendor Email Compromise Actually Is
Business Email Compromise is typically understood as an attacker impersonating a senior executive to redirect funds or extract sensitive information. That framing was accurate for the attacks that dominated BEC a decade ago. It is no longer the dominant pattern.
Vendor Email Compromise, or VEC, targets the supplier and partner relationships that organizations rely on for payment processing, invoicing, and account management. There are two main variants.
In the first, an attacker compromises a legitimate email account at a vendor – through credential phishing, password reuse, or account takeover – and uses that account to send fraudulent payment instructions to the vendor’s customers. The email arrives from the vendor’s actual domain, using the vendor’s actual email infrastructure. It passes every authentication check because it is, technically, a legitimate email. DMARC cannot stop it.
In the second variant, the attacker does not compromise the vendor account directly. Instead, they register a look-alike domain – close enough to fool a reader moving quickly – and spoof or impersonate vendor correspondence. This variant can be addressed through authentication if the vendor enforces DMARC on the spoofed domain, or if the target organization’s security tooling flags look-alike domains.
The Abnormal AI report found that the first variant – actual account compromise leading to VEC – now accounts for the majority of VEC attacks. Attackers have learned that compromising a vendor account provides better returns than registering a look-alike domain, in part because authenticated email from a trusted sender bypasses most detection systems.
The Billing Account Update Trap
The most consistently effective VEC lure, according to the Abnormal AI data, is the billing account update request. These are emails that appear to come from a vendor you are already paying, notifying you of a change in bank account details, routing numbers, or payment destination.
The Abnormal AI report found a 26.5% compromise rate on billing account update requests. That figure represents the share of recipients who take the requested action – in this case, updating payment details to a fraudulent account – before the fraud is detected. For comparison, the phishing industry average click rate across all attack types sits below 5%.
The reason the compromise rate is so high is the same reason VEC is difficult to detect: the email fits a legitimate workflow. Finance teams receive genuine vendor account update notifications. The email may reference real invoice numbers, real contact names, and real account relationships. The only fraudulent element is the new payment destination. By the time the misdirected payment is discovered, it has typically already been withdrawn.
What DMARC Does and Does Not Address
DMARC – Domain-based Message Authentication, Reporting and Conformance – authenticates that an email claiming to come from a domain was actually sent by infrastructure authorized to send on that domain’s behalf. A DMARC record at p=reject tells receiving mail servers to block messages that fail this test.
That enforcement is highly effective at stopping one major class of BEC: domain spoofing. If your domain appears in a phishing email targeting someone else, your p=reject policy means that email will be rejected by the recipient’s mail server – provided that server enforces DMARC, and most major providers now do.
What DMARC cannot address is a vendor whose legitimate email account has been compromised. If an attacker is sending from inside your vendor’s infrastructure using a real account, the email passes SPF, DKIM, and DMARC checks on the vendor’s domain. Authentication answers the question of whether the sending infrastructure is authorized for the sending domain. It does not answer whether the human who sent the email is who they claim to be.
This means DMARC on your own domain protects your identity from being spoofed. It does not protect you from being defrauded by a compromised vendor account. The two problems require different solutions.
What DMARC Still Provides
None of this makes DMARC enforcement less important. It changes where DMARC fits in the defense model.
DMARC enforcement at p=reject on your own domain eliminates the possibility that your domain will be used to send phishing or BEC attacks against others – including your vendors, your customers, and your employees. If an attacker tries to spoof your domain to impersonate you in a VEC attack targeting your supplier, your p=reject policy ensures those emails are rejected.
DMARC aggregate reports (rua=) provide ongoing visibility into every source sending mail that claims to be from your domain. That includes authorized sources – your ESP, your CRM, your transactional mail system – and unauthorized sources. If someone is using your domain in an attack, aggregate reports will surface it, typically within 24 hours.
DMARC also makes credential-phishing attacks against your employees harder to scale. Attackers deploying phishing to gain initial access to vendor accounts frequently use spoofed domains of the target’s own suppliers. If those supplier domains enforce DMARC, the spoofed phishing emails are rejected. Better authentication across the supply chain reduces the pool of compromised accounts available for VEC.
The Defense Model VEC Requires
Stopping vendor email compromise requires a layered approach that goes beyond authentication.
Authentication is the foundation. Enforce DMARC at p=reject on your own domain. Verify that your critical vendors have done the same. DMARC enforcement across the supply chain reduces the look-alike domain variant of VEC and constrains the pool of accounts that can be phished for initial access.
Process verification is the control. No payment instruction arriving by email should change bank account details without independent verification through a second channel – a phone call to a number you have on record, not one provided in the email. Financial operations teams need clear policies requiring out-of-band confirmation for any payment destination change.
Behavioral detection identifies anomalies. The Abnormal AI report argues that VEC detection increasingly requires behavioral AI: systems that model the normal patterns of vendor communication and flag deviations. An email from a vendor you have worked with for three years that suddenly instructs you to update payment routing to an account in a new jurisdiction is anomalous. Content-based filters trained on malicious indicators miss it. Behavioral systems tuned to communication patterns can catch it.
Aggregate reporting extends your visibility. If you receive DMARC aggregate reports and review them regularly, you will know when traffic claiming to originate from your domain is failing authentication – which may indicate an attacker is targeting your suppliers by spoofing your domain. That visibility can help you alert vendors to fraudulent email before they are victimized.
The Supply Chain Is the Attack Surface
The Abnormal AI report’s central finding is not that a particular tactic has become more common. It is that the attack surface has shifted. For most of BEC’s history, the target of impersonation was the victim’s own organization – the CFO, the CEO, the IT helpdesk. Attackers have now learned that the supply chain provides a more scalable attack surface, because supplier relationships are trusted, payment workflows are routine, and vendor account update notifications are expected.
That shift does not diminish the importance of protecting your own domain. It adds an argument for treating the domains of your critical vendors as part of your security posture as well.
Excello Mail gives you complete visibility into your authentication status, aggregate report analysis, and guidance on reaching p=reject enforcement – so that when VEC attackers try to spoof your domain to reach your vendors or your customers, the infrastructure is already in place to stop them. Sign up for free to Excello Mail and lock down your end of the supply chain.