TL;DR: Business email compromise still works because attackers exploit human decision-making, and AI is making those social engineering campaigns more convincing and scalable, according to Abnormal AI. The defensive shift is away from fear-based awareness alone and toward behaviour-aware controls that reduce user exposure and improve detection.
At a glance
What this is: This on-demand webinar argues that BEC succeeds by exploiting human psychology, with AI making social engineering more convincing and scalable.
Why it matters: It matters because IAM, security awareness, and detection programmes still fail when they treat user behaviour as a side issue rather than the attack path itself.
👉 Watch Abnormal AI's on-demand webinar on the human element of BEC
Context
Business email compromise is a social engineering problem that targets human judgement, trust, and urgency rather than technical flaws alone. In IAM terms, that means the exposed control surface is not only authentication, but also the people and processes that decide when access requests, payment changes, and message cues are believed.
The article frames empathy-based security culture and behavioural AI as the response to increasingly convincing attacks. For identity teams, the practical issue is that human identity controls, security awareness, and detection logic must work together when attackers use AI to scale deception.
Key questions
Q: How should security teams reduce the risk of business email compromise?
A: They should focus on the business actions BEC is trying to trigger, not only the message itself. That means adding out-of-band verification for payments and account changes, training users to pause on urgency, and correlating email alerts with identity and workflow signals so suspicious requests are caught before approval.
Q: Why do AI-assisted phishing and BEC campaigns succeed more often?
A: They succeed because AI improves scale, targeting, and language quality at the same time. That makes fraudulent requests harder to distinguish from legitimate ones and increases the number of attempts that can be tailored to a victim’s role, relationships, or routine business processes.
Q: How do security teams know whether BEC controls are actually working?
A: Look for fewer successful fraudulent approvals, faster reporting of suspicious requests, and lower dependence on email content alone for decision-making. If users still complete sensitive actions without secondary validation, the control environment is not blocking the real attack path.
Q: Who is accountable when a BEC attempt turns into a fraudulent transfer?
A: Accountability usually spans finance, security, and the business owner of the process. The practical test is whether the organisation defined verification steps, trained users on exceptions, and enforced a clear stop point before money or access could be moved on trust alone.
Background and context
Why BEC works against human identity controls
BEC succeeds because it exploits trust relationships, urgency, and routine exceptions in human workflows. Unlike malware that needs a technical foothold, BEC only needs a person to approve, transfer, reset, or disclose. That makes the attack path dependent on how humans interpret context under pressure, especially in email and collaboration channels. Basic authentication controls do not stop a user from being socially engineered into authorising a harmful action, which is why BEC is often a process failure before it is a technical one.
Practical implication: security teams should map BEC controls to the human decisions that create risk, not only to inbox filtering or login protections.
How AI changes social engineering scale and credibility
AI increases BEC effectiveness by making messages more specific, better timed, and harder to distinguish from legitimate requests. That changes the economics of social engineering from broad, noisy campaigns to targeted, adaptive persuasion. The key technical point is not autonomy, but content generation and campaign scaling across many victims. This strengthens attacker throughput while reducing the telltale errors that previously helped users and filters spot fraud.
Practical implication: teams need detection and user-verification controls that assume polished, high-volume impersonation rather than obvious phishing.
Behavioural AI as a detection layer for anomalous user actions
Behavioural AI in this context means models that look for deviations in communication patterns, request timing, payment changes, and identity relationships rather than relying only on static signatures. It is effective when BEC blends into normal mail flow, because the unusual part is often the action sequence, not the message format. That makes behavioural telemetry useful for spotting impersonation, account takeover, or payment redirection attempts that traditional rules miss.
Practical implication: correlate email signals with identity and workflow behaviour so suspicious requests are flagged before a fraudulent approval completes.
NHI Mgmt Group analysis
Human psychology remains the primary control surface in BEC. The article is right to frame the problem around behaviour, because BEC succeeds when people override process under social pressure. Email security, MFA, and IAM controls matter, but they do not remove the human decision point that attackers are targeting. The implication is that identity programmes must treat judgement, verification, and exception handling as first-class security controls.
AI is scaling persuasion faster than awareness programmes can refresh messaging. The important shift is not that BEC became new, but that the attacker can now personalise deception at scale. That weakens legacy training models that assume users can spot generic fraud cues. Practitioners should recognise that message quality is no longer a reliable discriminator, which raises the value of behavioural detection and transaction verification.
Security culture is a governance control, not a soft add-on. The article’s emphasis on empathy over fear reflects a real operational truth: users report, question, and verify more when they are not punished for pausing. That matters for IAM because the fastest path to fraud often depends on silence, shame, or rushed compliance. Organisations that build a reporting-positive culture improve the odds that suspicious identity events are surfaced before loss occurs.
Behavioural AI creates a useful detection layer, but only when it is tied to identity context. Anomalous content alone is not enough if the workflow behind it is still trusted by default. The strongest programmes correlate message patterns, user behaviour, and request type so the control can distinguish routine communication from coerced action. Practitioners should anchor BEC detection in identity-linked behaviour, not inbox telemetry in isolation.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For a broader view of exposure patterns, The 52 NHI breaches Report shows how identity failures repeat when access is not governed across the full lifecycle.
What this signals
BEC is a reminder that identity programmes fail when they stop at authentication and do not govern the human decisions that complete a transaction. The next maturity step is to connect user education, process validation, and email telemetry into one control loop.
Human trust debt: security teams should treat every process that allows a person to override normal validation as accumulated risk. The more often urgent exceptions are accepted, the easier it becomes for an attacker to turn a familiar workflow into a fraud event.
Practitioners should also expect behavioural AI to move from a nice-to-have detection layer to a practical control for high-risk workflows. Its value rises when paired with internal reporting paths and transaction approval rules, not when used as a standalone filter.
For practitioners
- Harden payment and account-change verification Require out-of-band validation for wire instructions, beneficiary changes, payroll updates, and bank detail edits so a single compromised conversation cannot complete the fraud path.
- Tune detection around human action sequences Correlate message timing, sender relationships, and the requested business action so suspicious requests are evaluated in context rather than by email content alone.
- Build a reporting culture that rewards pause-and-check behaviour Train users to escalate unusual requests quickly, and make it safe to question authority when a message asks for urgency, secrecy, or a last-minute process exception.
- Use behavioural AI to flag abnormal communication patterns Prioritise controls that combine mailbox telemetry with user and workflow signals so impersonation attempts are caught before an approval or transfer is completed.
Key takeaways
- BEC is fundamentally a human identity problem because attackers exploit trust, urgency, and exception handling more than technical flaws.
- AI makes social engineering cheaper and more convincing, which means traditional awareness training and content-only detection are no longer enough on their own.
- Teams that combine verification steps, behavioural detection, and a reporting-positive culture are better positioned to interrupt fraud before money or access changes hands.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Human verification and phishing resistance matter when BEC targets user judgment. | |
| NIST CSF 2.0 | PR.AT | Awareness and training shape how users respond to social engineering attempts. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero trust requires continuous verification of requested actions, not implicit trust in messages. |
Use phishing-resistant verification where business actions depend on identity proof, not just inbox trust.
Key terms
- Business Email Compromise: Business email compromise is a social engineering attack that tricks a person into authorising a fraudulent action through a trusted communication channel. The attack usually targets payments, account changes, or sensitive disclosures and succeeds by exploiting routine business trust rather than technical compromise.
- Behavioural AI: Behavioural AI is a detection approach that looks for deviations in how people, systems, or accounts normally act. In security operations, it can help identify suspicious message patterns, unusual approval behaviour, and identity-linked anomalies that do not stand out in signature-based filtering.
- Human Identity Controls: Human identity controls are the policies and safeguards that govern how people authenticate, approve requests, and handle exceptions. In BEC defence, they extend beyond login security to include verification steps, reporting culture, and decision points that attackers try to manipulate.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: The Human Element of BEC, covering what is real, what is hype, and what is next. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
