There’s a sobering truth in the latest threat report from Abnormal Security: 44% of employees engage with vendor email compromise (VEC) attacks. That means almost half of the people reading these fake messages either reply or forward them – often without realising they’ve just played into a scam.
Cybercriminals are exploiting people, as one of the weakest links in enterprise security. And not just employees; vendors, too, are proving to be rich ground for manipulation.
It’s time for cybersecurity leaders to rethink how they approach awareness and training. Because conventional methods aren’t keeping up with new threats.
From March 2024 to March 2025, Abnormal monitored over 1,400 organisations and analysed how employees interacted with text-based advanced email attacks. They weren’t blocking the emails – just watching what happened.
And the result was a clear picture of just how vulnerable organisations really are:
Importantly, it’s not a one-time issue for each individual. Out of those who engaged, 7.3% had fallen for a similar attack before – which shows that prior experience alone isn’t enough to prevent repeat mistakes.
VEC attacks are particularly dangerous because they mimic normal business workflows. It’s completely ordinary for vendors to ask for invoice payments or banking detail updates – so when scammers copy that format perfectly, employees often don’t see the red flags.
Add AI into the mix and things get even harder. We know that attackers are now using AI-powered tools to craft emails that look, sound and feel legitimate. They can hijack real threads, spoof addresses with subtle typos, and even mimic a vendor’s tone of voice very neatly; so by the time the email lands in the inbox, it’s almost indistinguishable from the real thing.
We asked Nisreen Al Khatib (Expert in IS Risk Management, Data Privacy, and Cybersecurity Management) what the industry can do to improve security awareness. Her answer cuts to the core of the issue:
“Cybersecurity is a technical topic, however due to the nature and impact of cyberattacks, awareness and education touches all people who go online – and this covers a huge population with diverse knowledge, educational backgrounds, and security understanding.
“So the topic has to be portrayed in a nontechnical manner that all these people can understand and relate to.”
It’s a critical challenge: not everyone speaks ‘cyber.’ But everyone’s vulnerable. So our awareness programmes must be tailored for different audiences, not copy-pasted across departments and teams.
“The wide range of our target audience necessitates that we create different messaging for different groups,” Al Khatib added.
“We also need to keep enhancing and updating our messages and means to cope with the advancing threats – and at the same pace, if not faster. We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results.”
Yes. The Abnormal report shows that engagement with VEC attacks isn’t evenly spread. Employees in sales and project management roles had the highest engagement rates. Entry-level sales staff replied or forwarded these emails 86% of the time.
This shouldn’t be a surprise, because these roles often rely heavily on communication, work across departments, and are incentivised to respond quickly and helpfully.
That means they’re more likely to act on a well-crafted vendor request without second-guessing it. But rather than pointing fingers, security leaders need to prioritise these roles in their awareness strategies – with targeted, context-aware training and support.
An organisation’s supply chain is only as secure as its weakest link. Attackers know this. In fact, some of the most effective VEC attacks observed in the report involved hijacked email threads from real vendors – messages that would have passed even advanced spam filters.
That’s why improving awareness shouldn’t stop at your own employees. Vendors need support too.
“Every partner represents another entity that can be impersonated or an account that can be compromised,” the report warns. “And every member of the workforce represents a potential target – a human that is far from infallible.”
Perhaps the most alarming stat from this report is that only 1.46 of advanced email attacks that were read were reported. That’s a massive operational gap. If employees aren’t flagging threats, your security team can’t respond quickly, analyse those threats, or protect others.
Why don’t people report?
But silence enables threats. Security culture needs to make reporting the default, and actively remove any shame or hesitation around it.
Cybersecurity can’t just be left to tools and firewalls. When nearly half of your workforce is unknowingly playing into scams (and most aren’t speaking up about it) something has to change.
“We can’t address cybersecurity education and awareness with the same old methods, or we will get the same disappointing results,” said Al Khatib.
It’s time to modernise awareness. Because attackers already have.
Join the newsletter to receive the latest updates in your inbox.
How do you get your first job in cybersecurity? Break things. Because cultivating your hacker mindset can help you differentiate yourself in a competitive market for entry-level infosec roles.
Read More
M&A can be a golden opportunity for malicious hackers. Find out how rushed integrations, open-source risks, and weak access controls turn acquisitions into cybersecurity minefields.
Read More
Credential leaks are escalating, powering stealthy, devastating attacks. Learn why passwords are no longer enough – and how passwordless authentication can help.
Read More