chat
expand_more

Threat Report: BEC and VEC Attacks Continue to Surge, Outpacing Legacy Solutions

Our H2 2024 Email Threat Report revealed the rates of business email compromise and vendor email compromise continue to increase. Learn more.
August 21, 2024

While the way we work has evolved throughout the digital age, two constants remain: email is still the primary hub for professional communication, and employees are the weakest link in your cybersecurity chain. This combination creates a convenient opportunity for enterprising threat actors willing to put in extra time for a big payday. Unfortunately, our research shows more cybercriminals are deeming the effort worthwhile.

According to our H2 2024 Email Threat Report, business email compromise (BEC) attacks grew by more than 50% between H2 2023 and H1 2024, and an average of 41% of customers were targeted by VEC attacks every week between January and June 2024.

Keep reading for more insights from our latest report on the email threat landscape.

BEC Attacks Fly Under the Radar of Traditional Security Solutions

Business email compromise (BEC) attacks aren’t the easiest cybercrime to commit. Instead of casting a wide net and hoping to catch a few off-guard recipients, threat actors focus their time and energy on deceiving a single, high-value target—such as an employee with access to financial operations and other critical data. But, while these attacks are time-intensive and require meticulous research, they only have to work once for cybercriminals to rake in a hefty reward or gain access to sensitive data.

By learning as much as possible about their targets through public resources like LinkedIn and leveraging a compromised email account or lookalike domain, BEC attackers can effectively impersonate someone their victim knows—like a colleague or manager—and trick them into taking action. And with generative AI tools at their disposal, it’s easy for threat actors to craft credible-sounding messages that reflect the style and tone of the individual they’re mimicking.

H2 2024 Threat Report BEC Attack Volume

Additionally, the fact that they’re a low-volume threat works in attackers’ favor since they don’t create any spikes in activity that might otherwise tip off email monitoring. Plus, they rarely include malicious links, attachments, or other signs that traditional security tools are programmed to detect.

Given how easily BEC attacks fool security solutions and security-aware employees, it’s no surprise they’re becoming a favorite strategy among cybercriminals. Since the FBI Internet Crime Complaint Center (IC3) began tracking BEC in 2015, attacks have surged by more than 1000% and caused total losses of more than $14.3 billion. In 2023, organizations forked out more than $137,000 per incident.

BEC Attacks by Organization Size H2 2023 vs H1 2024

And while BEC attacks on global enterprises might make the news, smaller organizations’ limited cybersecurity budgets make them a prime target for threat actors too. Between H2 2023 and H1 2024, BEC attacks on smaller organizations jumped by nearly 60%, from 5.6 attacks per 1,000 mailboxes to 8.8.

In other words, no organization is immune to this rapidly growing threat.

Vendors Provide Entry Points for High-Reward VEC Attacks

Like BEC attacks, vendor email compromise (VEC) is a high-effort yet high-reward strategy that leverages social engineering tactics to exploit employees’ trust. Instead of impersonating an internal employee, however, VEC threat actors pose as service providers, suppliers, distributors, or other vendors and convince targets to pay phony invoices or change banking details in their accounting system.

Although this type of threat only makes up a small fraction of advanced attacks, it’s becoming increasingly common. Because every company an organization works with creates another possible entry point, there are numerous potential vulnerabilities for cybercriminals to exploit. So, even if an organization takes every possible precaution, it may still fall victim to a vendor’s negligence.

H2 2024 Threat Report VEC Attack Likelihood

All it takes is for an attacker to gain access to one account in an organization’s vendor ecosystem, and they can easily deceive targets into taking action. And, because these emails come from legitimate accounts, they can easily evade legacy email security solutions. In some cases, attackers have even hijacked existing threads, making it almost impossible for an employee to recognize the email as a threat.

Although all organizations are at risk, our research found nearly 70% of retail and consumer goods manufacturers experienced at least one VEC attack in the first half of 2024, along with more than 68% of construction and engineering firms. Both industries manage a high volume of email and complex networks of vendors and supply chains, which means cybercriminals have plenty of opportunities to stealthily commandeer communications without ringing alarm bells.

Protecting Your Organization From BEC and VEC Attacks

Because they require careful research and technical knowledge, BEC and VEC attacks still occur less frequently than other advanced attacks. That said, they can also be among the most destructive. Additionally, as the use of generative AI grows and more malicious generative AI tools enter the market, we’ll likely see even more cybercriminals leveraging BEC and VEC to slip past security and wreak havoc on organizations of all sizes and sectors.

These attacks are virtually undetectable to the average employee and consistently undermine legacy security tools, making it essential to adopt a more advanced email security platform. Modern solutions using AI-native detection can pick up on anomalies that secure email gateways (SEGs) miss, preventing them from reaching end users or giving them time to engage.


For more insight into the state of BEC and VEC attacks and the current email threat landscape, download our H2 2024 Email Threat Report.

Get the Report
Threat Report: BEC and VEC Attacks Continue to Surge, Outpacing Legacy Solutions

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More
B How Phishing Kits Work Blog
Learn how phishing kits provide pre-packaged tools for stealing credentials, bypassing MFA, and targeting platforms like Gmail and Microsoft 365.
Read More
ABN Innovate Blog 1 L1 R1
Join Abnormal Security for a one-day virtual conference featuring the best insights from cybersecurity experts and AI leaders.
Read More
B Partners2024
Discover how strategic investments, global collaboration, and cutting-edge initiatives have empowered our partners to thrive and set the stage for even greater success in 2025.
Read More