Vendor Email Compromise: Silent $300 million threat CISOs can’t be ignored

AI expands threat complexity
Unlike traditional phishing, VEC attacks mimic legitimate business email threads, often using AI to generate tones, brands, and message history with high precision. With no obvious detection triggers, these emails bypass filters and even fool cautious employees who often rush to address perceptual issues such as unpaid payments in a tight job market.
“Existing controls such as multifactor authentication are failing against these AI-driven attacks,” Dubar warned. “We need a basic strategy shift to address psychological manipulation, not just credential verification.”
He added that peripheral defense alone cannot prevent such AI-powered VECs. “Organizations need three key upgrades: AI-driven email analytics to detect subtle contradictions, proactive vendor validation protocols, and retrain employees who accredited social engineering, not just technical threats.”