Business email compromise keeps outpacing enterprise defences

At a glance

What this is: This is a webinar on why business email compromise keeps succeeding, and its central finding is that impersonation attacks continue to grow despite stronger tooling and awareness.

Why it matters: It matters to IAM practitioners because BEC exposes gaps across human identity controls, privileged approvals, and account recovery paths that fraudsters exploit without needing malware.

👉 Watch Abnormal AI's webinar on why business email compromise keeps succeeding

Context

Business email compromise is a form of impersonation fraud where attackers trick users into trusting a message, request, or payment that appears legitimate. For identity teams, the problem is not only email security. It is the weakness of human trust boundaries, approval chains, and account verification steps that sit around the mailbox and often remain outside IAM ownership.

This webinar frames BEC as a persistent, evolving threat rather than a solved phishing problem. That matters because attackers do not need to defeat every control, only the one workflow where a human can be persuaded to act before a stronger identity check occurs.

Key questions

Q: How should organisations reduce business email compromise risk without relying on awareness training alone?

A: Use awareness training as a support control, not the primary defence. Reduce risk by removing email-only approval paths, adding out-of-band verification for payments and account changes, and requiring documented callback procedures for high-risk requests. The strongest protection is process design that prevents one convincing message from completing a business action on its own.

Q: Why do business email compromise attacks still succeed in mature organisations?

A: They succeed because they target trust, routine, and urgency rather than technical weakness alone. Even mature organisations often leave payment approvals, vendor changes, and account recovery tied to email-visible identity signals. When a forged request can trigger action before a second check occurs, technical controls may be present but ineffective at the decision point.

Q: What breaks when executive impersonation is trusted inside normal workflows?

A: The break is not only fraud, but governance. Once staff accept an executive-looking message as sufficient authority, the organisation loses separation between identity verification and business execution. That can lead to unauthorized payments, changed banking details, and unsafe access resets. Identity teams should treat those workflows as control boundaries, not communications conveniences.

Q: Who should own BEC prevention when the attack spans email, IAM, and finance?

A: Ownership should be shared, but accountability must be explicit. Security teams own detection and control design, IAM owns identity verification steps, and finance or operations owns approval workflow enforcement. If no single team is responsible for the end-to-end request path, impersonation attacks will keep exploiting the gaps between functions.

Background and context

Why business email compromise survives stronger email controls

BEC remains effective because it exploits social trust rather than only technical compromise. Modern email filtering can reduce commodity phishing, but impersonation attacks adapt through lookalike domains, compromised accounts, reply-chain abuse, and timing that matches business processes. The attacker is not necessarily trying to break encryption or exploit a CVE. Instead, they create a message path that feels routine enough for a human to approve payment, disclose information, or reset access. Practical implication: security teams need controls that verify identity at the point of action, not only at the point of inbox delivery.

Practical implication: add verification steps for high-risk requests before payment, credential reset, or vendor-bank detail changes.

How identity workflows become BEC attack surface

BEC often succeeds where identity workflows assume the requester is already trusted. Shared inboxes, delegated mail access, help desk resets, and finance approvals create authority without strong transaction-level validation. Once an attacker can imitate a CEO, supplier, or internal approver, they may only need one weak process to move money or alter account details. This is why BEC sits at the intersection of IAM and fraud: the exploit is not just the message, but the identity context around the message. Practical implication: map which business actions can be completed based on email alone and remove those trust shortcuts.

Practical implication: identify email-only approval paths and replace them with out-of-band confirmation for sensitive requests.

Why awareness training alone does not stop impersonation attacks

Awareness helps, but it does not create reliable control. Attackers rely on urgency, authority, routine exceptions, and cross-functional ambiguity, all of which make people bypass caution even when they know the risk. That means training is necessary but insufficient unless it is backed by process design, ownership clarity, and least-privilege access around financial and administrative actions. Practical implication: measure whether the organisation can block or delay a suspicious request without depending on the employee to be perfectly vigilant.

Practical implication: test whether teams can stop a fraudulent request even when the user falls for the impersonation.

NHI Mgmt Group analysis

Business email compromise is an identity governance failure, not just a mail-security problem. The attack succeeds when organisations let identity proof collapse into message appearance, sender reputation, or internal familiarity. That is a control design flaw across IAM, finance approvals, and help desk workflows. Practitioners should treat any email-mediated business action as an identity decision, not a communications issue.

Human approval loops are still the softest control boundary in many enterprises. BEC thrives where a request can move from inbox to action without a second identity check. The weak point is often not the mailbox itself, but the approval path that follows it. Organisations that have hardened authentication but left payment and recovery workflows untouched have only moved the attack surface, not reduced it.

Impersonation risk spans human identity, privileged access, and lifecycle governance. If a finance user can approve a transfer, a help desk can reset access, or a supplier relationship can be modified based on an email request, the organisation has created standing trust in a dynamic threat environment. That standing trust is the real exposure. Practitioners should map where business authority is granted without fresh verification.

Email-only trust creates a fraud blast radius that IAM teams often inherit too late. Once an attacker can influence one operational decision, the consequences extend into payments, vendor master data, account recovery, and executive impersonation. The organisation then discovers that identity governance was not only about login security. Practitioners should quantify which business processes can be triggered by a forged identity signal.

Implicit trust in sender identity is the named concept this webinar points to. That trust model was designed for a slower, more static communication environment. It fails when attackers can continuously adapt their wording, timing, and delivery path to match the victim's working context. The implication is that identity teams must rethink which business decisions are allowed to proceed on trust alone.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a broader baseline on identity risk, see Ultimate Guide to NHIs , Key Challenges and Risks for the control gaps that make both machine and human impersonation easier to exploit.

What this signals

Implicit trust in sender identity is becoming a board-level fraud issue, not just an inbox issue. As organisations tighten authentication and still lose money to impersonation, the next step is to reduce how much business authority can be exercised from email alone. Teams should expect finance, HR, and IT workflows to face stronger verification expectations, especially where approval abuse can trigger direct loss.

The signal for IAM and identity governance teams is straightforward: controls built to prove who logged in are not enough when the real risk is who can make a request appear legitimate. That shifts attention from access grants to action authorisation, a gap that more identity programmes are starting to recognise.

The broader programme implication is that identity, fraud, and workflow governance need a shared control map. If the organisation cannot show where a request is independently verified, BEC remains a process-level vulnerability even when technical security tools are in place.

For practitioners

• Remove email-only approval paths Require out-of-band confirmation for payment changes, beneficiary updates, and privileged requests so a forged message cannot complete the transaction on its own.
• Harden help desk verification Treat password resets, MFA resets, and account recovery as high-risk identity events and verify requesters using independent channels and documented callback rules.
• Map BEC-prone workflows Identify every process that can be triggered by email, then rank them by financial impact, privilege exposure, and likelihood of social engineering.
• Test human and process resilience Run impersonation exercises against finance, HR, and IT teams to see whether controls stop fraudulent requests before any payment or access change occurs.

Key takeaways

• Business email compromise persists because attackers exploit trust embedded in business workflows, not just weaknesses in the inbox.
• The $2.4 billion loss figure shows that impersonation remains a material financial risk even as awareness and tooling improve.
• The most effective response is to remove email-only authority from high-risk actions and verify requests through independent identity checks.

Key terms

• Business Email Compromise: Business email compromise is a form of impersonation fraud where attackers trick people or teams into approving payments, sharing information, or changing account details. The attack works by abusing trust in business relationships and communication patterns rather than by breaking encryption or exploiting software vulnerabilities.
• Approval Workflow: An approval workflow is the sequence of checks that authorises a business action such as a payment, access reset, or vendor change. In identity security, the workflow is only effective when the requester and the request are verified independently of the message that initiated them.
• Identity Verification: Identity verification is the process of confirming that a request truly comes from the person or role it claims to represent. For BEC defense, that means using independent validation steps such as callback procedures, shared-secret checks, or authenticated portals before any sensitive action proceeds.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: Business email compromise trends and webinar discussion. Read the original.