Vendor email compromise (VEC) attacks are becoming increasingly effective, with engagement rates “worrisomely high,” according to new research by Abnormal AI.

The study, published during Infosecurity Europe 2025, found that VEC messages eclipsed that of business email compromise (BEC) in the EMEA region.

In EMEA, second-step engagement rates from VEC messages exceeded BEC engagement by 90%, at a rate of 47.3%. In addition, repeat engagement was more than twice that of BEC.

Engagement relates to follow-up actions performed by recipients who read the initial email, including replying and forwarding the message.

The report also found that EMEA organizations had the lowest reporting rate for VEC across all regions, at 0.2%. In contrast, they had the highest reporting rate for BEC, at 4.2%.

They also had the lowest rate of second-step engagement with BEC (24.7%).

Both VEC and BEC involve the misuse of a familiar identity to try and trick employees into paying fake invoices or initiating fraudulent wire transfers.

However, unlike BEC, in VEC attacks the person being impersonated is an external third-party, such as a partner or supplier.

In BEC, attackers typically impersonate a senior member of the management team, such as the CEO.

There was a slightly lower VEC engagement rate in APAC (40.2%) and North America (44.4%) compared to EMEA. The global average was 44%.

However, these two regions were far more likely to engage with BEC attacks.

The researchers said this trend could be a result of cultural factors, such as more hierarchical workplace dynamics, meaning a greater likelihood of employees will comply with authority-driven requests – a hallmark of BEC.