TL;DR: Cybercrime losses exceeded $10 billion in 2022, with investment fraud leading and business email compromise close behind, while AI is expected to push losses higher in the short term, according to Abnormal AI’s webinar briefing and Secret Service predictions. The signal for identity teams is that email compromise is now an identity and trust problem, not just a messaging problem.
At a glance
What this is: This on-demand webinar frames the 2024 cybercrime outlook around fraud losses, BEC, and the likelihood that AI will amplify both.
Why it matters: It matters because email-driven fraud now intersects with human identity, account trust, and access governance, which means IAM, security, and fraud teams need a shared operating model.
By the numbers:
- Cybercrime losses reached more than $10 billion in 2022.
👉 Read Abnormal AI's webinar on cybercrime losses, BEC, and AI-driven fraud
Context
Cybercrime loss forecasting is increasingly an identity and trust issue because attackers do not need to break perimeter controls when they can manipulate human decision-making, hijack email workflows, and impersonate trusted parties. In this webinar, the primary risk area is business email compromise and investment fraud, with AI presented as an accelerant rather than a separate problem.
For IAM and security teams, the relevant question is not whether fraud exists, but where identity assurance breaks down across inboxes, approvals, payment flows, and account recovery paths. That makes this topic relevant to human identity governance, privileged workflow oversight, and the controls that limit how much damage a single compromised account can cause.
Key questions
Q: How should security teams reduce the risk of business email compromise?
A: Security teams should reduce BEC risk by tightening the business processes that email can trigger. That means out-of-band verification for payment changes, stronger identity checks on account recovery, and logging that connects email events to downstream approvals. The goal is to stop trusted communication from becoming automatic authority.
Q: Why does AI make fraud and BEC harder to stop?
A: AI makes fraud harder to stop because it improves message quality, scales personalisation, and reduces the obvious errors that once exposed scams. Defenders must look beyond wording and focus on abnormal request patterns, identity context, and transaction validation before action is taken.
Q: What do organisations get wrong about email-based fraud?
A: Organisations often treat email fraud as a messaging problem when it is really a trust and workflow problem. The attacker is exploiting how people and systems authorise change, not just how messages are delivered. Strong filtering helps, but it cannot replace validation at the point of decision.
Q: Who should own BEC risk across IAM and finance?
A: BEC risk should be owned jointly by IAM, security operations, and finance because the attack chain crosses all three. IAM controls trust, security detects anomalies, and finance controls the final transfer or exception. Shared ownership is the only realistic way to close the handoff gaps.
Background and context
How BEC turns trusted email into a control bypass
Business email compromise works because the attacker does not need to defeat authentication if they can hijack trust after authentication. The malicious message may arrive from a compromised mailbox, a lookalike domain, or a socially engineered thread that already contains payment context. Once the recipient accepts the message as legitimate, the attacker can redirect invoices, alter bank details, or push an urgent transfer request without triggering classic malware controls. The core failure is trust delegation, not just inbox delivery.
Practical implication: review approval paths that rely on email alone and add out-of-band verification for payment, vendor, and account-change requests.
Why AI increases fraud throughput and persuasion quality
AI changes fraud economics by making deception cheaper, faster, and more personalised. Attackers can generate cleaner lures, emulate tone, localise language, and scale message variation without the obvious errors that once exposed phishing campaigns. That does not make every attack autonomous, but it does mean the attacker can run more believable social-engineering loops at volume. In practical terms, the defensive challenge shifts from spotting poor wording to detecting intent, context abuse, and abnormal request patterns across identities and workflows.
Practical implication: treat AI-assisted fraud as a trust-quality problem and correlate communication anomalies with identity and transaction signals.
Why investment fraud and BEC now overlap operationally
Investment fraud and BEC increasingly share the same execution infrastructure because both rely on manipulating a legitimate human decision under time pressure. One may target a transfer, the other a policy exception or a vendor update, but the common mechanism is the abuse of business process authority. That means identity controls alone are not enough if the surrounding workflow still allows a single convincing message to initiate irreversible action. The boundary between fraud detection and identity governance is now much thinner.
Practical implication: map the business processes where one email can trigger financial or privileged action and harden those pathways first.
NHI Mgmt Group analysis
BEC is now an identity assurance failure, not just an email threat. The important shift is that the attacker wins after authentication, by steering a trusted human into taking the wrong action. That places the problem squarely inside human identity governance, privileged workflow control, and account recovery design. Practitioners should treat inbox trust as part of the identity plane, not a separate communications issue.
AI lowers the cost of high-conviction fraud. The article’s AI warning matters because it explains why fraudulent outreach will become more consistent, more contextual, and harder to dismiss on visual or linguistic cues alone. That does not automatically create autonomous attacks, but it does increase the throughput of human-targeted deception. Security programmes need to assume persuasion at scale, not just malicious payloads.
Investment fraud and BEC share the same business-process exploit. Both rely on a legitimate actor being induced to execute a high-risk action under apparently normal conditions. That is why the relevant control gap is not only message filtering, but business rule validation around payments, vendor changes, and authorisation exceptions. Practitioners should focus on the decision points where identity trust turns into financial authority.
Fraud prevention now sits between IAM, security operations, and finance controls. The most effective response is cross-functional governance because the abuse path crosses domains. Human identity, email trust, and transaction approval all contribute to the final outcome, so one team cannot own the full risk alone. Practitioners should align identity assurance with payment and exception handling before attackers exploit the seams.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to The State of Non-Human Identity Security.
- For a broader governance lens, see Top 10 NHI Issues for the control gaps that most often turn identity trust into operational exposure.
What this signals
Fraud governance is converging with identity governance. When email is the primary trigger for financial action, IAM teams cannot treat it as a separate channel. The practical response is to connect human identity assurance, approval workflow design, and exception handling so a convincing message does not become a privileged act.
Identity teams should expect more persuasive abuse, not just more volume. The important change is not only scale, but quality of deception. That raises the value of cross-signal detection, where mailbox context, user behaviour, and business process state are judged together before action is allowed.
With only 1.5 out of 10 organisations highly confident in securing NHIs, the broader lesson is that identity programmes still struggle to measure trust reliably. That weak measurement problem extends into human workflows whenever an email can trigger a high-impact decision.
For practitioners
- Harden email-to-payment approval paths Require out-of-band confirmation for new vendor banking details, urgent transfers, and exception approvals that originate in email threads.
- Correlate identity and transaction signals Join mailbox telemetry, sign-in context, and payment workflow logs so suspicious requests can be assessed in the same investigation path.
- Review account recovery and help-desk controls Block recovery flows that accept email-only trust signals and add stronger verification for sensitive account changes.
- Test fraud scenarios with finance and IAM teams Run tabletop exercises that trace a fake invoice, vendor change, or executive request from inbox to payment or privileged approval.
Key takeaways
- Cybercrime losses, BEC, and AI together point to a fraud model that exploits trust after authentication, not before it.
- The scale signal is clear: losses exceeded $10 billion in 2022, and the article warns that AI will worsen the short-term outlook.
- The right response is to harden decision points where email can become authority, especially payment, recovery, and exception workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | BEC exploits weak trust and access validation in business workflows. |
| NIST SP 800-63 | IAL3 | Fraud risk rises when account recovery and trust checks are weak. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust limits automatic trust in email-driven requests and sign-ins. |
Tighten identity verification and approval controls where email can trigger financial or privileged action.
Key terms
- Business Email Compromise: Business Email Compromise is a fraud pattern where attackers use trusted email communication to induce payments, account changes, or disclosure of sensitive information. The technical risk is not the inbox itself, but the way business processes accept email as evidence of authority.
- Identity Assurance: Identity assurance is the confidence that a person, account, or workflow is genuinely entitled to perform an action. In fraud-heavy environments, assurance must extend beyond login to the decision point, because attackers often exploit the handoff between authentication and business approval.
- Trust Delegation: Trust delegation is the practice of allowing one communication, role, or system event to authorise another action. It becomes risky when the delegated trust is assumed rather than verified, especially in payment, recovery, or exception workflows that attackers can manipulate.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: Pig Butchering, BEC, and More: Cybercrime Predictions for 2024. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
