SEGs fail because they were designed around malicious links, attachments, and known-bad indicators. Modern phishing often arrives as plain text from a trusted-looking sender and uses the business process itself as the attack surface. When there is no payload to sandbox, the gateway has little to stop, so human trust becomes the main control gap.
Why This Matters for Security Teams
secure email gateway were built to inspect messages for known-bad links, malicious attachments, and other technical indicators. That model struggles when the attack is the conversation itself: invoice redirection, payment urgency, vendor impersonation, and reply-chain abuse. Guidance from the NIST Cybersecurity Framework 2.0 is useful here because it pushes defenders toward risk-based detection and response, not just content filtering. NHIMG research on the The State of Secrets in AppSec also shows how quickly attackers can exploit exposed credentials once trust is misplaced, which is the same pattern that makes business email compromise so effective.
The real issue is that modern phishing often arrives as plain text from a legitimate-looking mailbox, so there is no file to detonate and no URL to block. invoice fraud also abuses business process gaps, where approval workflows, vendor master data, and payment controls are weakly enforced. In practice, many security teams encounter fraudulent wire requests only after finance has already treated the message as a routine exception.
How It Works in Practice
Modern attackers design campaigns to look operational, not malicious. They may compromise a mailbox, hijack an existing thread, and then send a short message that references a real invoice, an urgent payment deadline, or a changed bank account. Because the message is credible, the secure email gateway sees little that resembles classic phishing. There may be no attachment, no obvious phishing domain, and no malware payload for a sandbox to flag.
That is why effective control shifts from message inspection alone to layered verification. Strong programmes typically combine:
- DMARC, SPF, and DKIM to reduce simple sender spoofing
- Out-of-band verification for payment changes and bank detail updates
- Finance workflow controls that require dual approval for sensitive transfers
- Mailbox anomaly detection for suspicious forwarding rules, impossible travel, and reply-chain abuse
- User reporting paths that route suspected fraud quickly to security and accounts payable
Current guidance suggests that the most reliable detection comes from correlating message context with identity and transaction context, rather than treating email as a standalone security problem. That is why organisations should pair email controls with process controls and identity assurance, especially for vendor onboarding, first-time payments, and urgent exceptions. NHIMG’s DeepSeek breach coverage is a reminder that once adversaries gain a foothold, they move quickly through trusted channels and exposed data.
These controls tend to break down when finance exceptions are handled informally through chat, text, or reused inbox threads because there is no consistent verification point.
Common Variations and Edge Cases
Tighter payment verification often increases friction, so organisations must balance fraud resistance against business speed. That tradeoff becomes visible in small procurement teams, fast-moving sales operations, and seasonal environments where staff are inclined to approve exceptions quickly.
Some phishing campaigns still use attachments or links, and SEGs remain useful against those older patterns. The harder cases are “payload-free” attacks that depend on social engineering, compromised internal accounts, or adversary-in-the-middle sessions. Best practice is evolving toward layered detection, but there is no universal standard for this yet. Some organisations use mailbox intelligence and behavioural analytics, while others focus on payment controls and user training. The most resilient approach usually combines all three.
Invoice fraud also has edge cases that bypass technical email controls entirely, such as supplier master-data tampering, payroll diversion, or executive impersonation via personal email accounts. In those situations, the key question is not whether the gateway blocked a message. It is whether the organisation had a second control path for validating business-critical changes before money moved.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS | Email fraud exploits weak data and process protections around payments. |
| NIST CSF 2.0 | DE.CM | Gateway blind spots require detection beyond content scanning. |
| NIST CSF 2.0 | RS.CO | Fraud needs rapid coordination between security, finance, and vendors. |
Protect transaction data with layered verification and monitor for anomalous payment-change requests.