New research shows that 61% of business email compromise is now vendor-related, as attackers increasingly mimic everyday workflows.
Abnormal AI, the leader in behavioral AI security, released its 2026 Attack Landscape Report. Analyzing nearly 800,000 email attacks across 4,600+ organizations between July and December 2025, the findings reveal a fundamental shift in cybercrime: attackers are moving away from exploiting technical vulnerabilities and instead targeting behavioral and organizational ones—using highly tailored attacks that exploit trusted relationships and routine workflows.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
While attackers are continuing to exploit internal relationships and trust between colleagues, vendor email compromise (VEC) now accounts for the majority of business email compromise (BEC) attacks, making up 61% of all BEC. As attackers shift toward impersonating trusted vendors, they are increasingly using high-stakes financial workflows to maximize impact.
Among these, billing account update requests stand out as the most dangerous vector, carrying a 26.5% compromise rate, which is dramatically higher than routine invoice inquiries at less than 1%. Unlike invoices, which can blend into high-volume payment workflows, billing updates require organizations to reroute legitimate, ongoing payments, prompting greater scrutiny from finance teams.
As a result, attackers are more likely to compromise real vendor accounts or convincingly replicate trusted relationships, investing additional time in reconnaissance and access. This pattern shows that attackers are selectively investing in more credible, higher-effort scenarios where the financial payoff is greatest and the likelihood of success justifies the added complexity.
Other key findings include:
- Phishing remains the most prevalent threat, accounting for 58% of all attacks, with evasion techniques deployed based on the target. More than one in five phishing attacks (21.6%) now use redirect chains—a tactic that routes victims through multiple URLs to obscure malicious destinations and evade detection by legacy security tools.
- Higher education is uniquely vulnerable to lateral attacks. Nearly one in eight phishing attacks reaching student inboxes originates from a compromised internal account, and 33% of all BEC in the sector is lateral, highlighting how open, high-turnover environments create ideal conditions for internal spread.
- Attackers adjust their tactics based on organizational complexity. In small organizations, VIP impersonation accounts for 43% of internal impersonation attacks because executives are more visible, accessible, and often directly involved in financial decisions, making authority-based requests both plausible and effective. In large enterprises, however, layered approval processes and greater awareness of executive impersonation reduce the effectiveness of this approach, prompting attackers to shift toward employee impersonation and more contextually grounded tactics.
“Modern email attacks are shaped by the institutions they target,” said Piotr Wojtyla, Head of Threat Intel and Platform at Abnormal AI. “Attackers are no longer just trying to circumvent security; they are exploiting the very mechanics of how we work. Whether it’s a fake SharePoint notification in a finance department or a lateral attack from a compromised student account, these threats succeed because they are difficult to distinguish from legitimate business as usual. When that happens, detection becomes a behavioral challenge, requiring AI that continuously learns how people and organizations actually operate.”
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
