Global Email Threat Landscape: Eye-Opening VEC and BEC Engagement Trends by Region

Your vendors are trusted partners, essential to daily operations. But to cybercriminals, they're the perfect disguise.

Much like traditional business email compromise (BEC), vendor email compromise (VEC) involves the misuse of a familiar identity. In these attacks, however, the person being impersonated is an external third party rather than an internal employee. Recently, we released research that reveals the startling extent to which employees engage with VEC attacks—findings that become even more compelling when examined through a geographic lens.

Our analysis of 1,400+ organizations spanning North America, EMEA, and APAC provided a unique opportunity to examine how employee behavior varies by location. While engagement patterns differed significantly across regions, one alarming trend remained universal: post-read interaction rates with both BEC and VEC were consistently high worldwide.

For organizations in EMEA, the post-read interaction rate with VEC eclipsed that of BEC, exceeding it by 90%. Additionally, the repeat engagement rate for VEC was over twice as high for BEC and the highest of any geographic region.

Interestingly, EMEA employees had the lowest reporting rate for vendor email compromise attacks—a shockingly low 0.27%—but the highest reporting rate for BEC attacks: 4.22%. They also had the lowest rate of post-read engagement with BEC (24.7%).

The Bottom Line

EMEA employees appear to be highly susceptible to continued interaction with VEC attacks but resistant to engaging with BEC, indicating vulnerability to external impersonations and suggesting stronger skepticism toward imitation of internal identities.

This disparity may stem from greater implicit trust in vendors or external partners across EMEA organizations, particularly given the high volume of cross-border business facilitated by mechanisms like the Single Euro Payments Area (SEPA). SEPA is a payment integration initiative designed to make cross-border euro payments as easy as domestic payments by requiring standardized formats for transactions.

For APAC organizations, the data trended in the opposite direction of EMEA enterprises, with BEC engagement surpassing VEC. Though the variation is not as dramatic—business email compromise post-read engagement is just 10% higher—the rate itself (44.4%) remains concerning.

Additionally, APAC employees had the highest BEC repeat engagement rate of any region (5.65%). However, while APAC employees engage with BEC attacks more than VEC, they at least report those attacks at a substantially higher rate, albeit still at a significantly lower than desired frequency (1.92%). Notably, APAC had the lowest vendor email compromise post-read interaction rate across all regions (40.24%), but even that remains far above acceptable levels.

The Bottom Line

In contrast to other regions, BEC poses the greater risk for APAC employees, with higher engagement and repeat interaction rates, but their comparatively higher reporting rate for BEC signals better recognition of internal threats.

The higher BEC engagement and repeat rates may reflect the influence of strict, region-specific invoicing and documentation requirements, such as China’s fapiao system, which could make vendor fraud attempts less convincing or easier to detect. Additionally, cultural factors—such as more hierarchical workplace dynamics in parts of the region—may contribute to employees being more likely to comply with authority-driven requests (a hallmark of BEC) without questioning their legitimacy.

Employees at organizations in North America demonstrated equal vulnerability to BEC and VEC attacks, with a negligible difference between the post-read interaction rates for both attack types. However, similar to EMEA, the repeat engagement rate for VEC attacks was considerably higher than for BEC attacks—7.42% vs. 2.69%.

This indicates employees may not recognize they’ve been manipulated, increasing the risk of repeated engagement without targeted intervention or improved training. Like their counterparts in EMEA and APAC, North American organizations reported BEC attacks more often than VEC, though reporting remained low overall.

The Bottom Line

North American employees engage with VEC and BEC attacks at nearly equal rates but are more likely to fall for vendor email compromise attacks repeatedly, suggesting greater challenges in recognizing vendor-based deception. The equal engagement rates indicate both internal and external impersonation attacks are equally believable to employees.

However, the much higher VEC repeat engagement rate may reveal gaps in vendor verification processes and/or blind spots in security awareness training. This highlights the need for more targeted education on identifying vendor-based threats, particularly those that blend into routine workflows.

While the regional variations in VEC and BEC engagement reveal important geographic risk profiles, they also highlight a more fundamental challenge that transcends borders: the widespread failure to report suspicious emails.

If your organization relies on employee reporting to understand the full extent of attack frequency, we have bad news: only 1.46% of text-based advanced email attacks that are read are reported.

To put that in perspective, the average monthly text-based advanced attacks received by a mid-market enterprise with 1,500-3,000 employees between March 2024 and March 2025 was approximately 560 per 1,000 mailboxes. That means, every month, there are an estimated 840-1,680 attacks not being reported to the security team. For larger organizations, the number can be much, much higher.

Why Aren’t Employees Reporting Malicious Emails?

The Bystander Effect

Though most often associated with emergencies, the bystander effect can occur in any setting where multiple individuals share equal responsibility to act. It refers to the tendency of people to do nothing when others are also present or impacted. Essentially, the more people who could act, the less likely it is that anyone will.

In this context, an employee may believe they aren’t the only target of an attack, and thus they don’t report the message because they assume a colleague already has. What should be emphasized is that even if a cybercriminal targets multiple employees, the sooner a malicious email is reported, the easier it is for the SOC team to minimize damage.

No Harm, No Foul

Some employees may believe that as long as they don’t engage with the attacker, they’ve fulfilled their obligation to the organization. But security professionals know that deleting emails without reporting them can be almost as damaging, since it eliminates the SOC team’s chance to investigate, remediate related messages, and take steps to reduce vulnerabilities to similar attacks.

Employees must understand that a message that they recognize as attempted invoice fraud or a bogus account update may not raise red flags for a coworker. And if attacks go unreported, bad actors can continue targeting others.

Fear of Being Wrong

In some cases, an employee may feel uncertain about their ability to distinguish safe emails from attacks. Rather than risk flagging benign messages, they stay silent, either out of fear of looking foolish or creating unnecessary work for the security team. This hesitation is especially common when cybersecurity feels disconnected from day-to-day responsibilities.

But this fear-based inaction can be costly, as a single overlooked attack can lead to widespread compromise if not caught in time. That’s why it’s essential to foster a workplace culture where reporting suspicious messages is encouraged, even when they turn out to be false alarms. Employees should be reassured that it’s always better to err on the side of caution.

The geographic variations in VEC and BEC engagement reveal that cybersecurity isn't one-size-fits-all. Cultural factors, business practices, and regulatory environments all shape how employees respond to different types of email threats.

However, the universal challenge remains clear: employees across all regions dramatically under-report suspicious emails, creating dangerous blind spots for security teams. Organizations must tailor their security awareness training to address their enterprise-specific risk profiles while fostering a culture that encourages reporting. Success depends not just on understanding your unique vulnerabilities but also on empowering every employee to become actively involved in the company's cybersecurity strategy.

For even more insights into vendor email compromise and the attack landscape, download our report, Read, Replied, Compromised: Data Reveals 44% Engagement Rate with VEC Attacks.