Security teams need controls that evaluate sender behaviour, conversation history, and business context, not just message payloads. Static gateways can still filter spam and known malicious artifacts, but they will miss believable social engineering that exploits trust. The practical answer is to add behavioural detection and verification around sensitive workflows such as payments and account changes.
Why This Matters for Security Teams
Text-only email fraud is dangerous because it bypasses the controls many teams still depend on: attachment scanning, sandboxing, and malware signatures. A convincing message can still redirect a payment, reset an account, or trick an executive assistant without carrying any payload at all. That means the real attack surface is the business process, not the email body. Guidance from the NIST Cybersecurity Framework 2.0 and current email-abuse research both point toward detection that understands trust relationships, not just content inspection. NHIMG research on The State of Non-Human Identity Security also shows how weak monitoring and over-privilege become operational weaknesses once attackers find a path into trusted workflows. Security teams that only tune spam filters often end up seeing fraud after approval chains, mailbox rules, or vendor conversations have already been manipulated. In practice, many security teams encounter the failure only after a finance exception or account-change request has already been approved, rather than through intentional detection design.
How It Works in Practice
The practical response is to add layered controls around high-risk communication and transaction steps. Email security still matters, but it should be paired with behavioural detection that scores sender novelty, reply-chain anomalies, domain impersonation, and unusual timing. For example, a message asking for a bank-detail change should be treated differently if it arrives from a first-time sender, arrives after a silence in the thread, or pushes urgency outside normal business hours.
Effective controls usually include:
- Conversation-aware filtering that looks at thread history, not isolated messages.
- Verification workflows for payment, payroll, and supplier-bank changes.
- Out-of-band approval for requests that change destination accounts or recovery channels.
- Mailbox rule and forwarding monitoring to spot account takeover attempts.
- Role-sensitive alerts so finance, HR, and executive assistants get stricter scrutiny.
This is consistent with the broader direction of the NIST Cybersecurity Framework, which emphasizes detection and response in context, not just perimeter filtering. NHIMG coverage of the DeepSeek breach and the Shai Hulud npm malware campaign reinforces a broader point: attackers routinely exploit trust, exposed secrets, and workflow gaps rather than relying on obvious payloads. These controls tend to break down when organisations let shared mailboxes, informal approval habits, or legacy vendor processes bypass the verification step because social engineering then rides straight through the trusted path.
Common Variations and Edge Cases
Tighter verification often increases friction, so organisations have to balance fraud resistance against business speed. That tradeoff matters most where teams handle urgent payments, travel reimbursements, or customer-service exceptions, because heavy approval chains can create delays that users try to bypass. Current guidance suggests that not every mailbox needs the same level of scrutiny; best practice is evolving toward risk-based controls for the workflows that can move money or reset identities.
Some environments need extra care:
- M&A, legal, and executive communications often involve unusual phrasing that can look suspicious even when legitimate.
- Third-party vendors may use unfamiliar domains, so allowlisting alone is not enough.
- Remote and hybrid organisations often rely on informal chat plus email, which weakens verification discipline.
- Shared service desks need step-up checks because they are high-volume targets for impersonation.
The emerging pattern is to verify the request, not just the sender. That often means callback procedures, approved-contact directories, and protected change windows for sensitive requests. The NHI security confidence gap is a useful reminder that monitoring and accountability fail first when teams assume trusted workflows will self-police. There is no universal standard for text-only fraud detection yet, but the best programs combine behavioural signals, process controls, and human verification where the business impact is highest.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Behavioural fraud detection depends on ongoing monitoring of email and workflow anomalies. |
| NIST CSF 2.0 | PR.AA-5 | Sensitive request verification requires stronger authentication for account and payment changes. |
| OWASP Non-Human Identity Top 10 | NHI-07 | Trusted workflow abuse often follows exposed credentials and over-privileged access paths. |
Reduce standing privilege and monitor privileged workflows that can be hijacked through email fraud.
