Business email compromise shifts with org size and internal trust

At a glance

What this is: This is an analysis of how business email compromise tactics change with organisation size, identity type, and internal trust, with the key finding that smaller and larger enterprises face very different impersonation patterns.

Why it matters: It matters because IAM, security awareness, and identity governance programmes must account for who is credible to impersonate inside each environment, not just block generic phishing.

By the numbers:

• Business email compromise represents roughly 11% of attacks by volume, but the average BEC incident costs a business $123,005, according to the FBI IC3.
• Employee impersonation is the most common internal impersonation tactic at 45.3%, while generic internal impersonation follows at 36.7%, according to Abnormal AI.
• Lateral BEC accounts for 23.2% of all BEC at large enterprises but only 0.24% at small organisations, according to Abnormal AI.
• VIP impersonation drops from 43% at small organisations to 7% at large enterprises, according to Abnormal AI.

👉 Read Abnormal AI’s 2026 Attack Landscape Report on BEC and internal impersonation

Context

Business email compromise is a trust problem, not just a message-filtering problem. Attackers choose identities that fit the target’s internal workflow, then shape the pretext so the request feels routine enough to avoid verification. In practice, that means the same fraud technique can look very different in a 100-person company and a 50,000-person enterprise.

For IAM and security teams, the relevant question is which identities are credible inside the organisation and which approval paths are easy to mimic. That makes BEC an identity governance issue as much as an email security issue, especially where executives, finance, IT, and shared service functions all depend on predictable communication patterns.

Key questions

Q: How should security teams reduce business email compromise in internal workflows?

A: Security teams should focus on the workflows attackers already mirror: payment approvals, credential resets, HR notices, and access requests. Add out-of-band verification for high-risk actions, segment controls by function, and test whether internal messages can still complete a business process without a second check. That is where BEC usually succeeds.

Q: Why does business email compromise look different in large enterprises?

A: Large enterprises have more internal identities, more message volume, and more formal processes, so attackers move away from executive impersonation toward employee impersonation and compromised accounts. The credibility target changes with scale. Security teams should tune defences to the identities that are believable inside each operating model.

Q: What breaks when a compromised internal mailbox is used for fraud?

A: The normal trust model breaks. Authentication, sender familiarity, and routine inbox handling all start to work for the attacker, because the message comes from a legitimate internal account. Security teams should treat compromised mailboxes as identity incidents with fraud exposure, not as simple phishing events.

Q: Who should own controls for internal impersonation BEC?

A: Ownership should sit across identity, security operations, and the business functions that approve money, access, or sensitive requests. Finance and IT are especially important because attackers mirror their workflows. If those teams do not define and test escalation paths, the organisation leaves fraud decisions to the inbox.

Technical breakdown

How internal impersonation BEC uses workflow credibility

Internal impersonation BEC works because the attacker copies a message pattern the recipient already expects. Rather than brute-forcing a login, the attacker borrows the authority of a named employee, a department, or a function such as IT or HR. The message usually contains a small request with a plausible deadline, enough context to bypass caution, and just enough internal language to appear routine. The technical point is not the email itself, but the alignment between sender identity, recipient role, and workflow timing. That is why helpdesk resets, payroll notices, and access requests are such durable pretexts: they sit inside legitimate operating patterns and exploit trust in normal business processes. Practical implication: verify whether your approval workflows create reusable social-engineering templates.

Practical implication: verify whether your approval workflows create reusable social-engineering templates.

Why enterprise scale changes impersonation strategy

As organisations grow, the attack surface changes from personal familiarity to process familiarity. In smaller companies, executives are visible and often accessible, so VIP impersonation can work because the sender seems personally known. In larger enterprises, that tactic loses power as communication becomes more formal, so attackers shift toward employee impersonation and lateral compromise. The decisive factor is not seniority alone, but the plausibility of the message inside the recipient’s operating environment. This is why BEC is not a single tactic. It is a set of identity-driven pretexts that adapt to how authority, escalation, and approvals actually move through the organisation. Practical implication: map which identity roles become most believable as your organisation scales.

Practical implication: map which identity roles become most believable as your organisation scales.

How compromised internal accounts change the BEC equation

Lateral BEC is different from impersonation because the attacker no longer needs to fake trust. A real internal account sends the message, so authentication, sender reputation, and ordinary inbox heuristics work in the attacker’s favour. At that point the issue becomes identity compromise, not merely deception. The report’s size-based pattern shows why this matters: large organisations have more accounts, more internal message volume, and more interconnected departments, which increases both the probability of compromise and the value of each compromised mailbox. Once inside, an attacker can reach many recipients with far less friction than an external sender ever could. Practical implication: treat mailbox compromise as an identity problem with downstream fraud impact.

Practical implication: treat mailbox compromise as an identity problem with downstream fraud impact.

Threat narrative

Attacker objective: The attacker wants a trusted internal request to trigger a business action, credential handoff, or payment without second-stage verification.

1. Entry occurs when attackers use a believable internal identity, such as a colleague, IT function, or executive persona, to get a recipient to act on a request without verification.
2. Escalation happens when the attack shifts from impersonation to compromised internal access, allowing the sender to inherit trust from a legitimate mailbox and bypass normal suspicion.
3. Impact is realised when the fraudulent request triggers payment, credential disclosure, or workflow manipulation inside finance, IT, or executive channels.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Business email compromise is an identity governance failure disguised as messaging fraud. The report shows that attackers do not need a universal playbook when the organisation itself provides the credibility model. They choose the identity that is most believable in context, which means the real control problem is not email volume but who can convincingly speak for whom. For practitioners, BEC belongs in the same governance conversation as access, delegation, and privileged communications.

Named identity impersonation scales down, while workflow impersonation scales up. The report’s shift from VIP impersonation in smaller firms to employee impersonation in larger ones shows that authority signals change with organisational complexity. In small organisations, the executive role is still personally legible. In larger ones, the stronger signal is a believable peer, department, or service function. Practitioners should interpret that as evidence that awareness programmes age quickly unless they are anchored to actual communication paths.

Lateral BEC is a standing access problem, not a phishing problem. Once a mailbox is compromised, the attacker inherits trusted distribution paths, internal credibility, and routine communication cover. That is why the enterprise-end spike matters: it reflects accumulated identity surface, interconnected workflows, and the absence of enough friction between a compromised account and downstream authority. For practitioners, mailbox compromise should be managed as a privileged identity event, not an isolated email incident.

Internal trust is now a measurable attack surface, not a soft control concern. The data around IT and finance recipients shows that lures succeed when they mirror real work, not when they are technically sophisticated. That means the programme question is which internal requests can be safely assumed to be genuine, and which should require explicit confirmation. For practitioners, trust calibration must be designed per function, not rolled out as a single corporate slogan.

Workflow-aligned fraud deserves its own named concept: identity credibility drift. As organisations grow, the identities that feel most authentic to recipients shift from executives to peers, functions, and ultimately compromised accounts. That drift changes which controls matter, because the problem is no longer only message authenticity but whether the organisation’s own operating model makes fraud look normal. For practitioners, fraud defence has to be aligned to identity behaviour, not just mail hygiene.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most environments still lack a complete picture of non-human identity exposure.
• That visibility gap is one reason to review 52 NHI Breaches Analysis for the control failures that turn identity exposure into real incidents.

What this signals

Identity credibility drift: as organisations scale, the most believable impersonation target moves from visible executives to peers, functions, and compromised internal accounts. That means the fraud programme has to evolve by function, not just by threat label, and the internal request paths that look ordinary today may be tomorrow’s highest-yield pretexts.

The practical signal for IAM and security teams is that mailbox compromise and workflow impersonation should be reviewed together. Internal mail, approval chains, and privilege requests now form a single attack surface, so response plans need to tie fraud detection to identity signals rather than treating email and IAM as separate programmes.

For teams building resilience, the key question is whether the current control set still matches how authority is actually used. If an internal request can still move money, reset access, or trigger operational change without a second confirmation step, the organisation is still trusting the inbox more than the identity.

For practitioners

• Map the identities most likely to be impersonated Identify which roles, functions, and named individuals are most credible to each recipient group, then tune verification rules for finance, IT, HR, and executive workflows accordingly.
• Add out-of-band checks to routine approval paths Require a separate confirmation step for payment changes, credential resets, access requests, and vendor payment instructions so a believable inbox message cannot complete the workflow alone.
• Treat mailbox compromise as privileged identity risk Escalate compromised internal accounts into incident response and identity review workflows, because authenticated internal mail can drive fraud faster than external phishing.
• Segment communication controls by organisational function Use stricter controls for finance, IT, and executive communications where internal lures are most believable, and test those controls against current workflow patterns rather than generic phishing templates.

Key takeaways

• Business email compromise is low volume but high cost, which makes credibility and workflow fit more important than sheer message count.
• The impersonation pattern changes with scale, moving from VIP lures in smaller firms to employee impersonation and lateral compromise in larger ones.
• The strongest defensive move is to break the link between a believable internal message and a completed business action.

Key terms

• Business Email Compromise: Business Email Compromise is fraud that uses email to persuade a recipient to take an action that benefits the attacker. The message may impersonate a colleague, executive, or internal function, but the real objective is to exploit organisational trust and trigger payment, credential disclosure, or operational change.
• Named Identity Impersonation: Named Identity Impersonation is a BEC pattern where the attacker pretends to be a specific person inside the organisation. It works by borrowing trust from a known individual, usually a colleague or executive, and aligning the message with a role the recipient already recognises as credible.
• Lateral BEC: Lateral BEC is business email compromise sent from a compromised internal account rather than a fake identity. Because the email comes from a real mailbox, it inherits authentication and familiarity signals, which makes it harder to detect and more likely to succeed inside larger, interconnected organisations.
• Workflow Credibility: Workflow credibility is the degree to which a request matches how a team actually works. In BEC, attackers exploit this by copying the timing, wording, and approval pattern of legitimate internal communication, so the message feels routine enough that the recipient acts without secondary verification.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: 2026 Attack Landscape Report findings on business email compromise and internal impersonation. Read the original.