Vendor Email Compromise (VEC)

How This Attack Works

Unlike spoofed vendor emails, Vendor Email Compromise involves criminals who have actually taken over a real supplier's email account. They monitor correspondence silently, then intercept an active invoice thread and replace banking details with their own. Because the email originates from a genuine account, DKIM and SPF checks pass, making this attack exceptionally hard to detect without out-of-band verification.

Red Flags to Watch For

• ✗
  Banking detail change request arrives mid-conversation in an existing invoice thread
• ✗
  New account details are in a different country from the supplier's registered address
• ✗
  The supplier's email replies become slightly delayed or the tone shifts subtly
• ✗
  Wire transfer confirmation receipts stop arriving as normal after a payment
• ✗
  SPF and DKIM pass but the bank account is newly registered or offshore
• ✗
  Supplier calls to ask about a missing payment you believe was already sent

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• accounts-payable-update.comMALICIOUS
• supplier-banking-change.netMALICIOUS
• vendor-payment-redirect.comMALICIOUS
• remittance-update-portal.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.