Cybersecurity myths are failing as breach and phishing losses rise

At a glance

What this is: This on-demand webinar argues that cybersecurity assumptions are lagging behind attacker behaviour, with large losses and rising phishing volumes used to show why prevention alone is not enough.

Why it matters: IAM, NHI, and human identity teams all need controls that account for continuous attack adaptation, because static trust models can leave email, credentials, and access paths exposed.

By the numbers:

• $44 billion in exposed losses to business email compromise over the past five years.
• $9.44 million.
• There was a 35% increase in phishing attacks last year.

👉 Watch Abnormal AI's webinar on changing cyber threats and security myths

Context

Cybersecurity teams rarely fail because they have no controls. They fail when they assume those controls make the environment impenetrable, while attackers keep adapting their entry points, lures, and abuse paths. For IAM programmes, that assumption breaks across human identity, privileged access, and non-human identities alike, because exposure is often created long before a breach is detected.

This webinar frames the problem as a governance gap rather than a tooling gap. The immediate lesson for identity teams is that resilience depends on continuously testing assumptions about trust, user behaviour, and attacker persistence, not on declaring the environment safe after one layer of defence is in place.

Key questions

Q: How should security teams reduce business email compromise risk in high-trust workflows?

A: Start by identifying workflows where an email alone can trigger payments, account changes, or data movement. Add secondary verification, separate approval channels, and monitoring for mailbox takeover signals such as forwarding-rule changes or unusual login patterns. The goal is to stop trust from inheriting automatically from the message into the transaction.

Q: Why do phishing attacks still succeed in well-defended environments?

A: They succeed because many environments protect the mailbox but not the business process behind it. Attackers only need one trust decision to stick, then they can exploit people, delegated approvals, or automation that accepts the email as proof of intent.

Q: What breaks when organisations assume security tools make them impenetrable?

A: What breaks is the ability to see how attackers adapt around controls. Static prevention can reduce volume, but it does not remove impersonation, social engineering, or compromised-session risk. Once a control is treated as complete protection, identity and workflow abuse often go unchallenged.

Q: Who should own response when email-based fraud crosses into identity abuse?

A: Ownership should sit with security, IAM, fraud, and business process leaders together. Email compromise becomes an identity issue when the attacker uses trusted access to change accounts, approve actions, or move laterally. That requires joint containment and a shared incident path.

Background and context

Why prevention-only security models break under adaptive phishing

Prevention controls are designed to block known bad patterns, but phishing campaigns evolve around filters, impersonation cues, and user workflows. Once attackers can change message content, sender identity, or delivery channel, the control boundary shifts from blocking all malicious mail to reducing dwell time and limiting what a compromised account can reach. That is why phishing is as much an identity problem as a messaging problem: the attacker is trying to convert a human trust decision into account access, privilege escalation, or lateral movement.

Practical implication: pair mail controls with identity-centric detection that watches for account takeover and abnormal access after a lure lands.

Business email compromise as an access governance failure

Business email compromise succeeds when an attacker can impersonate a trusted person or intercept a workflow that authorises payment, data transfer, or account changes. The technical issue is not only email compromise, but the absence of strong verification on high-risk actions. In identity terms, that means privilege was granted to the conversation, the mailbox, or the workflow without a second control to validate intent. The breach path is often short because business processes themselves are treated as trusted.

Practical implication: add step-up verification for payment, vendor, and account-change workflows that originate from email.

Why identity programmes need continuous attack-surface reassessment

Attackers are not constrained by annual review cycles, so the threat surface shifts faster than governance meetings. That matters across human identity, NHI, and agentic systems because each can create a reusable path into sensitive systems once trust is established. Continuous reassessment means measuring whether controls still match current abuse patterns, rather than assuming last quarter's posture is still valid. In practice, that is the difference between policy on paper and effective containment under pressure.

Practical implication: use ongoing exposure review to retest identity paths, trusted workflows, and privilege boundaries as the environment changes.

NHI Mgmt Group analysis

Static prevention assumptions are failing because attackers do not attack on a fixed schedule. Security models that assume one control layer can hold back every intrusion were built for a slower threat environment. Phishing, impersonation, and workflow abuse now adapt faster than many review cycles, so the discipline has to shift from 'did the control exist?' to 'did it still match the current attack pattern?'. Practitioner conclusion: treat resilience as continuous validation, not a one-time design state.

Business email compromise is an identity governance failure, not just a mail security problem. The real weakness is that organisations still grant trust to a mailbox, a conversation, or a payment flow without enough secondary verification. That means the attack succeeds by exploiting business process authority as much as technical access. Practitioner conclusion: review where email-triggered actions still inherit trust automatically.

Phishing exposure is a shared problem across human identity, privileged access, and NHI governance. Human users are the obvious target, but the same trust assumptions often bleed into service accounts, delegated workflows, and automation paths that can be abused after the first compromise. Trust inheritance gap: this is the failure mode where one trusted identity or channel is allowed to carry unverified authority into the next step. Practitioner conclusion: map where trust is being inherited instead of re-verified.

The most dangerous myth is that higher control density equals immunity. More tools do not matter if the underlying operating assumption is that attackers behave predictably. The numbers in this webinar are a reminder that loss keeps scaling even when organisations believe they are well defended. Practitioner conclusion: measure whether identity controls are blocking abuse paths, not just generating coverage.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• 52 NHI Breaches Analysis shows how identity exposure becomes breach impact when privileged access is left unmanaged.

What this signals

Security teams should read this webinar as a reminder that exposure management is now an identity discipline, not only a perimeter discipline. When a message can still become a payment or a session, the control point has moved to verification, segmentation, and trust re-checking. That is especially true where identity sprawl already creates blind spots in delegated access and automation.

Trust inheritance gap: the next programme failure will not come from a missing filter, but from a workflow that still assumes a trusted email is a trusted instruction. Teams should look for places where one verified step grants permanent downstream authority, then redesign those paths so high-risk actions require separate confirmation.

Identity teams that already track service accounts, privileged workflows, and account recovery paths should extend the same discipline to email-triggered actions. The relevant question is no longer whether a phishing message was blocked, but whether the organisation can prevent one successful lure from becoming a chain of identity abuse.

For practitioners

• Audit email-triggered high-risk workflows Identify payment, vendor change, and account reset flows that still trust an inbound email as sufficient authority. Require a second verification step before the action completes, especially where mailbox compromise would create financial or privilege impact.
• Map trust inheritance across identity paths Trace where a verified human action or authenticated session is allowed to carry authority into downstream systems without re-checking intent. Focus on delegated approvals, shared mailboxes, and automations that can be abused after account takeover.
• Tighten detection for post-phishing identity abuse Look for abnormal login geographies, impossible travel, mailbox forwarding changes, and unexpected access to finance or admin systems after a lure. These signals matter more than the initial phishing event because the breach often starts after the message is opened.
• Rehearse containment before the inbox is fully trusted again Build playbooks that isolate the mailbox, revoke suspicious sessions, and verify downstream authorisations before business resumes. The goal is to stop a compromised communication channel from continuing to authorise payments or access.

Key takeaways

• The core risk is not just phishing volume, but the way trusted communications can become trusted actions.
• The scale is material, with billions in exposed BEC losses and breach costs in the nine-million-dollar range.
• Teams should harden verification around high-risk workflows so a compromised mailbox cannot automatically become a privileged business channel.

Key terms

• Business Email Compromise: A fraud pattern where an attacker uses compromised or impersonated email identity to trick people into transferring money, changing account details, or exposing sensitive information. The attack works because business processes often treat email as implicit proof of authority, which lets the fraud extend beyond the inbox into financial and identity systems.
• Trust Inheritance: The transfer of authority from one verified interaction or identity to the next without fresh validation. In practice, this is where a checked email, session, or approval is allowed to authorise a later action such as payment, password reset, or access change, creating a hidden control gap.
• Account Takeover: An attack outcome in which an adversary gains control of a legitimate user or service account and can act as that identity. The compromise may start with phishing, password theft, or token abuse, but the operational risk is the attacker inheriting the account's trust and permissions.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: changing threat patterns, cybersecurity myths, and why prevention alone is not enough. Read the original.