This annual cybersecurity report reveals a 44% employee engagement rate with Vendor Email Compromise (VEC) attacks, exposing significant financial risks exceeding $300 million. The analysis highlights the rising sophistication of attacks aided by AI, sector and regional vulnerabilities, and the critical role of behavioral AI in defending against human-centric threats. #VendorEmailCompromise #BehavioralAI
Keypoints
- The report typically includes an Executive Summary, detailed threat analysis, engagement metrics by organization size and sector, role-related risk assessment, regional trends, attack case studies, reporting behavior insights, and defense strategies.
- Key statistics show a 44.2% overall employee engagement rate with VEC messages and over $300 million in attempted vendor fraud during the observation period from March 2024 to March 2025.
- VEC attacks often lead to the highest or second-highest rates of replies and forwards regardless of company size, geography, or industry, with the telecommunications sector showing the highest engagement rate at 71.3%.
- Large organizations (50,000+ employees) demonstrated the highest post-read interaction rate with VEC messages at 72.3%, with repeat engagement occurring in 7.3% of these cases.
- Employees in sales and project management roles are most susceptible, reflecting their frequent email communication and urgency to resolve issues quickly.
- Regional analysis reveals that EMEA employees engage more with VEC than BEC but report attacks less often, while APAC employees show higher BEC engagement and reporting rates; North American employees are equally vulnerable to both attack types but have higher repeat VEC engagement.
- Only 1.46% of text-based advanced email attacks that are read are reported, attributed to factors such as the bystander effect, belief that non-engagement suffices, and fear of false alarms.
- The report includes a detailed case study of a sophisticated vendor impersonation attack that bypassed legacy defenses by hijacking email threads and using lookalike domains.
- Behavioral AI is championed as the most effective defense, leveraging machine learning to analyze communication patterns, detect anomalies, and automatically remediate threats before employee interaction.
- Abnormal AI’s platform integrates with cloud email systems and applications, trusted by over 3,200 organizations, including 20% of the Fortune 500, to combat sophisticated socially engineered attacks.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)