Delta Dental’s identity controls show the limits of email fraud defense

At a glance

What this is: This webinar overview explains how Delta Dental aligns security controls with business needs while defending against vendor email compromise, business email compromise, and invoice fraud.

Why it matters: It matters because identity and access teams have to protect user experience, third-party trust, and high-volume business processes at the same time, especially where email is the entry point for fraud.

By the numbers:

• Delta Dental serves more than 80 million members across the country.
• Delta Dental operates through 39 independent member companies in all 50 states.

👉 Read Abnormal AI's webinar on Delta Dental’s response to vendor email compromise

Context

Delta Dental’s security posture is shaped by a simple reality: a high-trust business environment can be a fraud target. When customer-facing operations, vendor communications, and internal approvals all run through email, business email compromise and invoice fraud become identity problems as much as messaging problems.

The relevant governance question is not whether to tighten every control, but how to reduce fraud risk without breaking service delivery. For IAM, PAM, and NHI teams, that means separating trusted business workflows from assumed-trusted email interactions and treating third-party communication as an access boundary, not a convenience layer.

Key questions

Q: How should security teams reduce vendor email compromise risk in finance workflows?

A: They should remove email as the sole trust signal for any payment or vendor-change action. The practical fix is to require a separate verification path, tie approvals to named business owners, and make suspicious contact changes visible before money moves. Controls work best when they validate intent outside the inbox.

Q: Why do business email compromise attacks succeed even in well-run organisations?

A: They succeed because many organisations still treat routine communication as proof of authority. Attackers exploit that assumption by mimicking vendors, replaying familiar threads, or inserting themselves into approval chains. The weakness is usually the business workflow, not the mailbox itself.

Q: What should organisations do when invoice fraud depends on delegated trust?

A: They should break the link between a received request and an approved action. That means dual verification for payment changes, explicit owner sign-off for supplier updates, and documented controls for high-value exceptions. Delegated trust must be verified independently, not assumed from context.

Q: How can IAM and security teams support fraud resistance without hurting operations?

A: By designing controls around critical workflows rather than blanket restriction. Keep the user experience workable, but add stronger checks where the business impact is highest, such as payments, vendor onboarding, and account changes. The goal is friction where trust matters most, not everywhere.

Background and context

Vendor email compromise as an identity control problem

Vendor email compromise works because attackers do not need to defeat every control. They need to insert themselves into an existing trust relationship, then exploit approval habits, invoice handling, or account recovery paths. In identity terms, the weakness is often not authentication itself but the business process that treats a familiar sender as sufficient proof of legitimacy. At Delta Dental’s scale, that creates a governance problem across human approvals, delegated access, and third-party contact chains. Practical implication: security teams should map which business workflows still rely on implicit email trust and remove those assumptions.

Practical implication: Map and harden workflows that still treat email sender trust as proof of legitimacy.

Why business email compromise scales faster than controls

Business email compromise scales because fraud campaigns can target many independent entities while reusing the same social and technical playbooks. The attacker only needs one successful deception path per process family, not per user. That makes the control gap structural: approval routing, invoice validation, and vendor identity verification are often inconsistent across business units. Where member companies operate semi-independently, attackers can move to the weakest local process and still achieve enterprise-level impact. Practical implication: standardise fraud-sensitive identity checks across subsidiaries and shared service lines.

Practical implication: Standardise fraud-sensitive checks across business units and shared service lines.

Invoice fraud and the role of delegated trust

Invoice fraud succeeds when finance, procurement, and operations allow delegated trust to outrun verification. The sender may look routine, but the identity behind the request has been altered, replayed, or impersonated. That is why this attack pattern sits at the boundary of IAM and financial control design. It is not just about stopping malicious mail. It is about ensuring that payment authority, vendor change requests, and account updates require independent verification outside the email thread. Practical implication: tie payment approvals to separate identity proofing and out-of-band confirmation.

Practical implication: Bind payment and vendor-change approvals to verification outside the email thread.

NHI Mgmt Group analysis

Business email compromise is an identity governance failure before it is a fraud event. The real issue is that organisations still let email assertions stand in for verified business intent. That assumption breaks when attackers can imitate vendors, hijack reply chains, or exploit repetitive approval behaviour. The implication is that identity programmes must treat fraud-sensitive communication paths as governed trust domains, not informal collaboration channels.

Delegated trust becomes the attack surface when invoice workflows are not independently verified. Once finance or procurement accepts an email thread as a valid authority chain, the attacker only needs to redirect that chain. This is a control-design problem across human identity, business process ownership, and third-party access boundaries. Practitioners should recognise that the security failure is not mail delivery itself, but the unverified transfer of authority embedded in the workflow.

At Delta Dental scale, fraud resilience depends on standardisation across independent operating units. When 39 member companies operate with local variation, attackers naturally search for the least resistant workflow rather than the most protected one. That makes inconsistent verification rules a systemic weakness. The practitioner conclusion is that governance must be central enough to be consistent, while still preserving local operational needs.

Identity controls that ignore user experience will not hold in business-critical environments. Delta Dental’s framing shows why teams cannot design fraud controls in isolation from service delivery. If controls are too brittle, users route around them; if they are too loose, attackers route through them. The practical conclusion is that security and business operations need a shared model for trust thresholds, not separate control agendas.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• To extend this analysis, see NHI Lifecycle Management Guide for lifecycle governance patterns that help separate trusted access from informal business process sprawl.

What this signals

Business email compromise is becoming harder to separate from broader identity governance because attackers increasingly target the trust layer, not just the mailbox. With 70% of organisations already granting AI systems more access than they would give a human employee performing the same job, per The 2026 Infrastructure Identity Survey, the same trust drift is already visible in non-human access patterns.

Delegated trust debt: this is the point at which routine business communication starts to function like a standing privilege. Once that happens, fraud controls, identity controls, and process controls all need to converge on the same verification model, or attackers will keep finding the gap between them.

Practitioners should expect more pressure to prove that business workflows are not just efficient but resilient. The programmes that survive will be the ones that can separate convenience from authority and make that distinction auditable across finance, procurement, and third-party operations.

For practitioners

• Map fraud-sensitive approval chains Identify invoice, vendor-change, and payment workflows that still trust email as an authority signal, then require a separate verification step before action is taken.
• Standardise verification across operating units Apply the same out-of-band approval and validation rules across all independent companies, subsidiaries, or departments that share business relationships.
• Separate communication trust from payment authority Ensure that the person who receives or forwards an email is never the only proof that a request is legitimate, especially for financial actions.
• Review vendor contact-change processes Require independent confirmation for any change to supplier bank details, reply addresses, or account contacts before the request reaches finance systems.

Key takeaways

• Vendor email compromise is fundamentally a trust-boundary problem, not just a messaging problem.
• Delta Dental’s scale shows why fraud controls must work consistently across independent operating units and shared business processes.
• The most effective countermeasure is independent verification of authority before payment, vendor-change, or approval actions proceed.

Key terms

• Vendor Email Compromise: Vendor email compromise is a fraud pattern where an attacker impersonates or hijacks a trusted supplier or partner to alter payment or approval workflows. The technical weakness is usually not delivery of the message, but the organisation’s decision to treat familiar communication as proof of authority.
• Delegated Trust: Delegated trust is the practice of letting one person, system, or business process act on behalf of another without re-checking the underlying authority. In identity governance, it becomes risky when the delegation chain is longer than the verification chain, allowing attackers to exploit convenience as if it were validation.
• Fraud-Sensitive Workflow: A fraud-sensitive workflow is any business process where a mistaken approval, false vendor request, or hijacked communication can create financial, operational, or data-loss impact. These workflows need identity and process controls that verify intent independently, not just controls that confirm a message arrived from a known contact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: How Delta Dental’s Cybersecurity Program Protects 80+ Million Smiles. Read the original.