How vendor email compromise targets healthcare organizations

In February 2024, the cyberattack on Change Healthcare disrupted healthcare operations on a national scale. According to the American Hospital Association, 94% of hospitals reported financial impact, with 33% seeing more than half their revenue disrupted. On October 24, 2024, Change Healthcare officially reported to the HHS Office for Civil Rights that the protected health information (PHI) of 100 million Americans had been stolen, making it the largest healthcare data breach in American history.

The attackers didn't need to breach every hospital individually. They compromised one trusted vendor, and the damage cascaded across the entire system. This is the logic behind vendor email compromise (VEC), a targeted attack that exploits the trust organizations place in their suppliers, contractors, and business partners. Unlike the ransomware attack on Change Healthcare, VEC operates quietly, often going undetected until the wire transfer has already cleared.

Read more: Change Healthcare data breach: Final count reaches 193 million

Understanding the difference between VEC and BEC

According to the FBI, BEC attacks resulted in $50.8 billion in exposed losses between October 2013 and December 2022, with 277,918 domestic and international incidents reported. Most people understand BEC as "CEO fraud,” where an attacker impersonates a senior executive and pressures an employee into authorizing a wire transfer or sharing sensitive data. The email might appear to come from the CFO, urgently requesting payment before a meeting.

Vendor email compromise is different. In VEC, the attacker doesn't impersonate someone inside your organization. They impersonate, or directly compromise, a trusted external partner. A medical device supplier. A construction contractor. A dental supply company. Research published in the National Technical University of Ukraine defines VEC as "a targeted type of Business Email Compromise attack in which an attacker impersonates a third-party vendor in order to steal information or assets from that vendor's customers." The distinction matters because VEC exploits a fundamentally different vulnerability, not the authority of your CEO, but the trust you've already established with your supply chain.

Go deeper: Third-party risk management (TPRM) as the next HIPAA compliance frontier

The healthcare supply chain risk

Healthcare organizations are uniquely vulnerable to VEC for several reasons.

• The volume: Hospitals and large health systems process thousands of invoices monthly from vendors across medical supplies, equipment maintenance, pharmaceuticals, IT services, and construction. Dental practices, while smaller, still manage dozens of recurring vendor relationships, lab services, imaging equipment, software subscriptions, and supply distributors.
• The urgency: Healthcare operates under constant time pressure. When an invoice arrives from a familiar vendor with "payment overdue" in the subject line, the instinct is to process it quickly and move on to patient care.
• The concentration of risk: The Change Healthcare attack revealed how dependent the entire sector has become on a small number of mission-driven vendors. According to the AHA, most healthcare organizations' enterprise risk management programs failed to identify this dependency as a single point of failure. When that one trusted vendor goes down or gets compromised, the impact ripples everywhere.

The Paubox 2025 Healthcare Email Security Report found that 180 healthcare organizations reported email-related breaches to the HHS Office for Civil Rights between January 2024 and January 2025. VEC doesn't require the attacker to breach your systems directly. They breach your vendor's systems, and you pay the price.

Anatomy of a VEC attack

According to the HHS Health Sector Cybersecurity Coordination Center (HC3), VEC attacks unfold across distinct phases that can span weeks or even months.

Phase 1: Compromise

The attacker gains access to a vendor's email account, often through phishing, credential theft, or exploiting weak authentication. According to the HC3, attackers frequently target vendors because they're often smaller organizations with fewer security resources than their enterprise clients.

Phase 2: Surveillance

Once inside, the attacker doesn't act immediately. They monitor email threads, study communication patterns, learn the billing cycles, and identify which clients pay large invoices regularly. They're building a profile, waiting for the right moment.

Phase 3: Injection

When a legitimate invoice is due, the attacker strikes. They reply to an existing email thread from the real vendor's compromised account, with updated payment instructions. The bank account has changed. The message looks authentic because it is authentic, except for the one detail that matters.

This approach bypasses nearly every traditional security control. The email comes from a known sender. It references real projects, real invoice numbers, and real relationships. The domain isn't spoofed, and because the attacker has been watching, the timing and tone match perfectly.

When vendor trust becomes a weapon

In 2020, threat actors targeted the North Rhine-Westphalia health authority in Germany during the height of the COVID-19 pandemic. According to the HC3 briefing, the attackers cloned the website of a legitimate Spanish supplier of protective equipment (PPE). They then compromised the supplier's email and used it to contact German health officials, who believed they were purchasing PPE from a verified vendor.

The attackers provided what appeared to be legitimate documentation,  the correct company details, authentic-looking invoices, and proper banking instructions. The officials wired the equivalent of €14.7 million to the specified accounts. Once the money landed, the attackers quickly moved it from Europe to Nigeria. Fortunately, INTERPOL and German authorities intervened, and the funds were eventually recovered. But the health authority came within hours of losing everything. This case illustrates the core of a VEC attack to compromise a trusted vendor's communications, inject fraudulent payment instructions into a legitimate transaction, and disappear before anyone realizes the invoice was fake.

The ‘trusted sender’ misconception

Organizations build allow lists, also called whitelists of trusted senders. Emails from known vendors bypass certain security filters because they've been pre-approved. The logic seems sound. We work with this supplier regularly, their domain is legitimate, let it through.

But VEC exploits exactly this assumption. The email does come from a trusted sender. The domain is real. The SPF, DKIM, and DMARC authentication checks pass. According to the Paubox Healthcare Email Security Report, 34.4% of breached organizations had DMARC configured in "monitor-only" mode,  which logs spoofing attempts but doesn't actually block them.

Research on BEC detection challenges found that "a URL or an attachment is used in just 3% of BEC assaults." Traditional filtering technologies look for malicious payloads, infected attachments, suspicious links, and known malware signatures. VEC emails often contain none of these. They're plain-text requests to update banking information. The problem isn't that the sender is unknown. The problem is that the sender is too trusted.

Learn more: 

• Implementing DMARC for healthcare email security
• A guide to SPF in healthcare email security
• DKIM replay attacks weaponize email authentication against users

Inbound security that analyzes behavior

Stopping VEC requires a different approach to email security, one that doesn't rely solely on sender reputation or domain authentication.

Paubox Email Suite Plus and Premium include inbound security designed for exactly this challenge. Every inbound email passes through a multi-layered filtering process:

Stage 1: Sender validation

Domain and SPF record validation, combined with reputation checks on the sending email server. Emails that fail these checks are rejected outright.

Stage 2: Virus and phishing detection

Emails are scanned for embedded macros, phishing links, ransomware, and malware. Anything flagged is quarantined before reaching the recipient.

Stage 3: Advanced filtering

This is where VEC attacks are caught. Paubox ExecProtect uses patented display name spoofing prevention. Custom rulesets and content analysis detect unusual requests like sudden changes to payment instructions. Inbound DLP rules flag sensitive patterns that don't match normal communication behavior.

The difference is that this system doesn't just check who sent the email. It analyzes what the email is asking for, and whether that request is consistent with historical patterns. When a vendor you've worked with for years suddenly sends an invoice from a new bank account, that's a behavioral anomaly even if the email is technically legitimate. Detecting that anomaly is what separates organizations that catch VEC from those that wire millions to criminal accounts.

FAQs

What is inbound DLP?

DLP stands for data loss prevention. Inbound DLP rules analyze incoming emails for sensitive content patterns  like requests to change payment information, unusual banking details, or language commonly associated with fraud. When these patterns are detected, the email is flagged for review rather than delivered directly to the inbox.

What is SPF?

SPF (sender policy framework) checks whether the email server sending a message is authorized to send on behalf of that domain. Think of it as a guest list, if the server isn't on the list, the email fails the check.

What is email quarantine?

Quarantine is a holding area for suspicious emails. Instead of delivering a potentially malicious message to the recipient's inbox or rejecting it outright, the email is held for review. Administrators can examine quarantined messages and decide whether to release them to the recipient or delete them permanently.