TL;DR: Business email compromise has driven more than US$55 billion in attempted or actual losses across over 300,000 attacks since 2013, and attackers now combine compromised accounts, thread hijacking, and AI-generated social engineering to bypass content filters, according to Proofpoint. The problem is no longer email filtering alone, but trust, identity, and workflow abuse that conventional controls were never built to stop.
At a glance
What this is: This is an analysis of why business email compromise continues to succeed, with the key finding that BEC exploits trusted communication patterns, compromised accounts, and business process speed rather than malicious links or attachments.
Why it matters: It matters because IAM, PAM, and identity governance teams need controls that account for mailbox compromise, workflow trust, and verified approvals across human and non-human processes.
By the numbers:
- Since 2013, BEC has led to more than US$55 billion in attempted or actual losses worldwide across more than 300,000 attacks.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
👉 Read Proofpoint's analysis of business email compromise and identity abuse
Context
Business email compromise is a social engineering fraud pattern that uses legitimate-looking requests instead of malware to push payments, data sharing, or account changes. In this case, the core security failure is not message delivery but trust in communication context, especially when cloud email platforms and fast digital workflows reduce the time available to verify requests.
The identity angle is direct. BEC often depends on compromised mailboxes, hijacked threads, or impersonated vendors, which means email security, IAM, and account monitoring all become part of the same control problem. That makes BEC relevant to human identity governance, mailbox access, and the security of approvals that now happen inside collaboration platforms rather than on paper.
Key questions
Q: What breaks when business email compromise is not controlled at the identity layer?
A: When BEC is handled only as an email-filtering problem, attackers can still use compromised accounts, hijacked threads, and legitimate-looking requests to move money or extract data. The control failure is that the business trusts the message without independently trusting the identity, the workflow, or the transaction. That is why mailbox monitoring and approval verification matter.
Q: Why do compromised mailboxes create so much downstream risk?
A: Compromised mailboxes are dangerous because they already sit inside trusted workflows. An attacker can read resets, approve requests, impersonate the user, or pivot into vendor and finance processes without needing to defeat every control layer. That is why mailbox compromise often becomes a gateway to broader credential abuse and business email compromise rather than a single-account event.
Q: How do security teams know whether BEC controls are actually working?
A: Look for fewer successful fraudulent approvals, faster reporting of suspicious requests, and lower dependence on email content alone for decision-making. If users still complete sensitive actions without secondary validation, the control environment is not blocking the real attack path.
Q: Who is accountable when a BEC attack succeeds through a trusted mailbox?
A: Accountability sits across email security, identity governance, and the business process that approved the action. If the organisation allowed a payment or account change to proceed without secondary verification, the failure is not only technical. Teams need a defined owner for mailbox compromise response, workflow verification, and fraud escalation before the attack reaches completion.
Technical breakdown
Why BEC bypasses email filtering and DMARC
Business email compromise often succeeds because it avoids the indicators that secure email gateways and authentication protocols are designed to catch. There may be no malicious attachment, no obvious phishing link, and no domain spoofing if the attacker is using a legitimate or compromised account. DMARC, SPF, and DKIM help reduce impersonation at the domain layer, but they do not stop an attacker who has already entered a real mailbox or joined a real conversation thread. The attack is therefore contextual, not content-based, which is why sender reputation alone misses the threat.
Practical implication: extend detection beyond content checks to mailbox behaviour, conversation history, and abnormal request patterns.
How compromised email accounts become fraud infrastructure
When an attacker compromises a mailbox, the account becomes a trusted delivery channel for internal fraud. The attacker can read prior messages, learn naming conventions and payment workflows, and insert requests that appear routine to recipients. That is why BEC overlaps with email account compromise. The mailbox is not just a target, it is the operating position from which the attacker can monitor replies, alter instructions, and mimic the timing of normal business activity. In effect, identity compromise becomes a fraud platform inside the enterprise.
Practical implication: treat suspicious mailbox rules, unusual logins, and sending-pattern changes as possible fraud preconditions, not just IT anomalies.
Why business workflows are the real attack surface
BEC is effective because finance approvals, vendor changes, and executive requests have moved into fast digital workflows. Those workflows depend on people trusting that the message matches the business context, even when there is no independent verification step. Attackers exploit urgency, role expectation, and process fatigue. That means the operational control point is not only the inbox, but the approval path itself. If the process allows a payment or banking change to be actioned from a single email, then the business process has become the vulnerability.
Practical implication: add out-of-band verification and dual approval for payment, vendor, and account-detail changes.
Threat narrative
Attacker objective: The attacker wants to convert trusted business communication into unauthorised transfer, disclosure, or account-control action.
- Entry usually begins with account compromise, credential theft, or insertion into an existing email thread that already carries trust.
- Escalation happens when the attacker uses mailbox access, organisational context, and impersonation to shape a believable payment or data request.
- Impact is financial loss, sensitive data disclosure, or downstream compromise of related accounts and payment processes.
NHI Mgmt Group analysis
BEC is an identity abuse problem before it is an email problem. The article correctly shows that modern BEC succeeds when a trusted account, a trusted thread, or a trusted vendor relationship is reused against the business. That shifts the governance question toward identity assurance, mailbox access monitoring, and approval integrity rather than message filtering alone. Practitioners should treat BEC as part of identity governance, not just secure email.
Conversation hijacking is the named concept that security teams should watch for. BEC is no longer limited to spoofed messages that look fake at first glance. It increasingly relies on entering an existing communication path and then exploiting familiarity, timing, and routine. That makes the defence model less about blocklists and more about recognising when a real identity is being used to deliver an illegitimate request. Practitioners should instrument the conversation, not only the message.
Mailbox compromise and business process compromise now form a single attack path. Once the mailbox is trusted, the attacker can manipulate finance, HR, vendor, and executive workflows with minimal technical noise. That means controls such as separation of duties, dual approval, and transaction verification are now core security controls, not back-office preferences. Practitioners should reclassify these workflows as high-value identity and fraud controls.
Cloud email platforms widen the blast radius when identity hygiene is weak. Microsoft 365 and similar platforms centralise communication and make collaboration efficient, but they also concentrate trust in one environment. If account monitoring, conditional access, and anomaly detection are weak, a single compromised mailbox can touch multiple departments and vendors. Practitioners should align email governance with IAM and PAM rather than treating it as a standalone security domain.
Role-specific verification is the control gap BEC exposes most clearly. Generic awareness training does not stop executive impersonation or invoice fraud when the process allows fast execution without independent checks. The stronger model is role-aware verification tied to financial, vendor, and privileged workflows. Practitioners should make verification conditional on transaction type, not voluntary on user judgement.
What this signals
Conversation hijacking is becoming a control design problem, not just a fraud pattern. As collaboration platforms compress communication and payment workflows into the same environment, the practical boundary for security teams shifts from spam filtering to identity verification and transaction assurance. That means mailbox access telemetry, approval paths, and vendor-change processes now belong in the same governance conversation.
For programmes that already track privileged access, BEC should trigger a review of who can authorise exceptions, who can approve payments, and which identities can alter vendor details without secondary checks. The operational lesson is to make the request path auditable before the request is urgent. The most resilient controls are the ones that still work when the message looks routine.
For practitioners
- Map high-risk communication flows Identify the email-driven processes that can move money, change banking details, or release sensitive information without a second approval path. Focus first on finance, HR, procurement, and executive assistants, where trust-based requests are most likely to be actioned quickly.
- Harden mailbox and account monitoring Alert on suspicious inbox rules, impossible travel, unusual sending volume, and changes in conversation patterns that indicate account abuse. Tie those signals into identity monitoring so compromised mailboxes are treated as a governance issue, not only a messaging issue.
- Require out-of-band verification for payment changes Use dual approval and callback verification for bank detail updates, invoice exceptions, and urgent transfer requests. The control should not depend on recognising a fraudulent tone in the email itself, because successful BEC often looks routine.
- Use authentication as one layer, not the boundary Keep DMARC, SPF, and DKIM in place, but do not treat them as sufficient against compromised accounts or thread hijacking. Pair them with behavioural detection and mailbox-access controls so the organisation can catch attacks that arrive through trusted identities.
- Train users on impersonation and thread abuse Run role-specific scenarios for executive impersonation, vendor change fraud, and conversation hijacking. Training should teach staff what to verify, who to call, and which requests always require a second channel before action is taken.
Key takeaways
- Business email compromise succeeds by abusing trust, identity, and process speed, not by relying on obvious malware signals.
- Proofpoint cites more than US$55 billion in attempted or actual losses across over 300,000 BEC attacks since 2013, which shows the scale is already operational, not theoretical.
- The strongest defence is layered control over mailboxes, approvals, and verification paths, because email authentication alone does not stop compromised identities.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0009 , Collection; TA0040 , Impact | BEC often begins with mailbox access and ends in fraudulent transfer or data theft. |
| NIST CSF 2.0 | PR.AC-4 | BEC exploits weak trust boundaries around authenticated users and requests. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management matters when compromised accounts are used as the attack vector. |
| CIS Controls v8 | CIS-5 , Account Management | Account compromise and suspicious mailbox behaviour are central to BEC. |
| NIST AI RMF | GOVERN | AI-generated social engineering and agentic workflows raise governance expectations around identity and oversight. |
Map BEC detections to credential access, collection, and impact stages, then close gaps in mailbox monitoring and approvals.
Key terms
- Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
- Conversation Hijacking: Conversation hijacking is the insertion of a fraudulent actor into an existing email thread so the request appears to continue a legitimate discussion. The attacker relies on prior message history, familiar tone, and trusted recipients to bypass human suspicion and complete the fraud path.
- Email Account Compromise: Email account compromise is the takeover of a legitimate mailbox, giving the attacker access to internal communications, contact lists, and message history. In BEC scenarios, it is especially dangerous because the attacker can send trusted messages from a real identity rather than an obvious spoof.
- Out-Of-Band Verification: A confirmation step that uses a different channel or method than the original request. It reduces the chance that a single spoofed email, voice call, or video session can authorize privileged activity or financial transfer.
What's in the full article
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- How Proofpoint's detection logic separates normal business communication from abnormal request behaviour in cloud email platforms
- Examples of the behavioural signals used to identify compromised accounts, thread hijacking, and suspicious mailbox activity
- The role-specific training scenarios and verification patterns the source recommends for finance, HR, and executive workflows
- How the vendor positions API-based and secure email gateway deployment options for different environments
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management with a focus on practical enterprise control design. It helps security and identity practitioners align identity governance with the systems and workflows their programmes actually rely on.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org