New VEC attack data shows why cybersecurity awareness needs a reboot

There’s a sobering truth in the latest threat report from Abnormal Security: 44% of employees engage with vendor email compromise (VEC) attacks. That means almost half of the people reading these fake messages either reply or forward them – often without realising they’ve just played into a scam.

Cybercriminals are exploiting people, as one of the weakest links in enterprise security. And not just employees; vendors, too, are proving to be rich ground for manipulation. 

It’s time for cybersecurity leaders to rethink how they approach awareness and training. Because conventional methods aren’t keeping up with new threats. 

The risk is real – and it’s growing 

From March 2024 to March 2025, Abnormal monitored over 1,400 organisations and analysed how employees interacted with text-based advanced email attacks. They weren’t blocking the emails – just watching what happened. 

And the result was a clear picture of just how vulnerable organisations really are: 

• 44.2% of all employees engaged with VEC emails.
• 98.5% of text-based advanced attacks were not reported.
• Attackers attempted to steal over $300 million via fake vendor emails.
• In large enterprises, 72.3% of VEC emails were actioned after being read – that’s nearly 3 out of every 4.

Importantly, it’s not a one-time issue for each individual. Out of those who engaged, 7.3% had fallen for a similar attack before – which shows that prior experience alone isn’t enough to prevent repeat mistakes.

Why are these attacks so successful? 

VEC attacks are particularly dangerous because they mimic normal business workflows. It’s completely ordinary for vendors to ask for invoice payments or banking detail updates – so when scammers copy that format perfectly, employees often don’t see the red flags.

Add AI into the mix and things get even harder. We know that attackers are now using AI-powered tools to craft emails that look, sound and feel legitimate. They can hijack real threads, spoof addresses with subtle typos, and even mimic a vendor’s tone of voice very neatly; so by the time the email lands in the inbox, it’s almost indistinguishable from the real thing.

It’s a human problem

We asked Nisreen Al Khatib (Expert in IS Risk Management, Data Privacy, and Cybersecurity Management) what the industry can do to improve security awareness. Her answer cuts to the core of the issue:

“Cybersecurity is a technical topic, however due to the nature and impact of cyberattacks, awareness and education touches all people who go online – and this covers a huge population with diverse knowledge, educational backgrounds, and security understanding. 

“So the topic has to be portrayed in a nontechnical manner that all these people can understand and relate to.”

It’s a critical challenge: not everyone speaks ‘cyber.’ But everyone’s vulnerable. So our awareness programmes must be tailored for different audiences, not copy-pasted across departments and teams.

“The wide range of our target audience necessitates that we create different messaging for different groups,” Al Khatib added. 

“We also need to keep enhancing and updating our messages and means to cope with the advancing threats – and at the same pace, if not faster. We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results.”

Are some roles at more risk than others? 

Yes. The Abnormal report shows that engagement with VEC attacks isn’t evenly spread. Employees in sales and project management roles had the highest engagement rates. Entry-level sales staff replied or forwarded these emails 86% of the time.

This shouldn’t be a surprise, because these roles often rely heavily on communication, work across departments, and are incentivised to respond quickly and helpfully. 

That means they’re more likely to act on a well-crafted vendor request without second-guessing it. But rather than pointing fingers, security leaders need to prioritise these roles in their awareness strategies – with targeted, context-aware training and support.

The problem with vendors 

An organisation’s supply chain is only as secure as its weakest link. Attackers know this. In fact, some of the most effective VEC attacks observed in the report involved hijacked email threads from real vendors – messages that would have passed even advanced spam filters.

That’s why improving awareness shouldn’t stop at your own employees. Vendors need support too.

“Every partner represents another entity that can be impersonated or an account that can be compromised,” the report warns. “And every member of the workforce represents a potential target – a human that is far from infallible.”

Organisations need to fix broken reporting protocols 

Perhaps the most alarming stat from this report is that only 1.46 of advanced email attacks that were read were reported. That’s a massive operational gap. If employees aren’t flagging threats, your security team can’t respond quickly, analyse those threats, or protect others.

Why don’t people report? 

• Bystander effect: they assume someone else has done it.
• Fear of being wrong: they’d rather stay silent than flag a false alarm.
• ‘No harm, no foul’ mentality: if they didn’t click, they think it’s not their problem.

But silence enables threats. Security culture needs to make reporting the default, and actively remove any shame or hesitation around it.

How can security leaders use these insights to protect against VEC attacks? 

1. Tailor awareness training. Different departments face different risks. Create relevant scenarios for high-risk teams like finance, project management and sales.
2. Make it continuous. Cyber threats evolve constantly, so your training should too. Run regular refreshers and simulations, and update content often.
3. Collaborate across industries. As Al Khatib put it, we need partnerships “with education, communication, and media – to benefit from their expertise and insights.”
4. Extend awareness to vendors. Offer guidance, tools and even joint simulations with third-party suppliers.
5. Reframe reporting as a strength. Celebrate those who report suspicious emails. Build habits, not fear.

Cybersecurity can’t just be left to tools and firewalls. When nearly half of your workforce is unknowingly playing into scams (and most aren’t speaking up about it) something has to change.

“We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results,” said Al Khatib. 

It’s time to modernise awareness. Because attackers already have.