TL;DR: Business email compromise remains a high-loss attack pattern, with nearly 20,000 attacks averaging $120,000 each, as attackers exploit urgency, fear, and hybrid work conditions to bypass existing controls, according to Abnormal AI. The governance problem is not awareness, but identity and process design that still leaves human decision-making too exposed.
At a glance
What this is: This is a webinar on why business email compromise keeps rising and how hybrid work makes human-targeted fraud easier to execute.
Why it matters: It matters because BEC sits at the intersection of human identity, access governance, and operational process, so IAM, PAM, and security teams need controls that reduce trust in urgent requests and payment changes.
👉 Watch Abnormal AI's webinar on the future of business email compromise
Context
Business email compromise is a form of social engineering that uses trusted communication channels to manipulate people into transferring money or revealing information. In a hybrid workforce, the attack surface expands because approvals, payment changes, and identity verification often happen across email, chat, and remote workflows rather than in one controlled environment.
That creates a governance problem for human identity programmes, not just a detection problem for email security tools. When urgency and fear become the attacker’s main controls, existing access workflows, payment validation steps, and exception handling processes become part of the attack path.
Key questions
Q: How should security teams reduce business email compromise risk in hybrid work environments?
A: Security teams should remove email as the sole approval path for high-risk actions. Use out-of-band verification, independent approval for payment changes, and tighter process controls around supplier updates, account recovery, and sensitive data release. The goal is to make impersonation harder than compliance with a fake request.
Q: Why do business email compromise attacks keep succeeding even when staff are aware of them?
A: BEC keeps succeeding because awareness does not equal verification. Attackers exploit urgency, authority, and routine business exceptions, which can override caution even in trained employees. The failure usually sits in process design, where a convincing request can still trigger payment, access, or disclosure without independent confirmation.
Q: What breaks when organisations rely on email-only approvals for financial requests?
A: Email-only approvals fail because the channel is easy to impersonate and easy to rush. A fraudulent request can appear legitimate long enough to trigger a payment or account change before anyone checks it elsewhere. Strong controls require a second channel, clear approver identity, and a non-repudiable record of the decision.
Q: Who should own BEC controls in an organisation?
A: BEC controls should be owned jointly by security, finance, IAM, and business process leaders. The attack crosses technical and operational boundaries, so accountability has to cover both message security and the approval workflow itself. If only one team owns it, attackers will keep using the gap between teams.
Background and context
Why business email compromise keeps working
BEC works because it imitates legitimate business communication and pushes the target to act before verifying. Attackers often impersonate executives, vendors, or internal staff to request a payment change, gift card purchase, or credential handoff. The control failure is rarely a single missed alert. It is usually a chain of weak identity verification, inconsistent approval routing, and human pressure that short-circuits normal scrutiny. In hybrid environments, those weaknesses are amplified because people rely more heavily on asynchronous communication and remote exception handling.
Practical implication: reduce reliance on email-only approval paths for high-risk actions and require out-of-band verification for payment or account changes.
How BEC bypasses existing security controls
BEC is effective because it often never trips the controls built to stop malware or credential theft. Message security, MFA, and perimeter filtering do not automatically stop a user from authorising a fraudulent transfer or sharing sensitive data in response to a convincing request. The real gap is that many controls protect the mailbox, not the decision. In other words, the attack succeeds at the workflow layer, where authority, timing, and trust are negotiated between humans rather than enforced by policy.
Practical implication: map your highest-risk business workflows and add approval, verification, and anomaly checks at the point of decision, not just at the inbox.
Hybrid work changes the trust model for human identity
Hybrid work reduces the informal checks that used to happen in person, such as walking over to confirm a request or hearing a suspicious change in tone. That makes identity assurance more dependent on process discipline than physical proximity. For IAM and PAM teams, this is a human identity problem with NHI-like consequences because compromised trust in one communication path can trigger financial and access impact across multiple systems. The question is not whether users are aware of BEC, but whether the organisation has made fraud harder than compliance with a fake request.
Practical implication: treat hybrid work as a governance design constraint and harden payment, supplier, and access-change processes accordingly.
NHI Mgmt Group analysis
BEC is a human identity governance failure before it is an email security problem. The attacker is not defeating cryptography or infrastructure first. They are defeating trust, authority, and exception handling in ordinary business workflows. That means the programme gap sits in identity assurance for high-risk decisions, especially where approvals and payments are handled remotely.
Hybrid work has widened the decision window attackers exploit. When teams are distributed, verification becomes slower, more fragmented, and easier to fake across channels. The result is a weaker governance pattern for human identity than many organisations admit, because the process assumes people will pause and verify when the attacker’s whole strategy is to remove that pause.
Urgency and fear are the real control bypasses in BEC. Security controls often focus on detecting malicious content, but BEC succeeds when the request itself feels routine, urgent, or authoritative. This shifts the problem from message inspection to decision design, which is where IAM, PAM, and finance controls intersect.
Identity programmes need to govern business actions, not only identities. A request to change bank details, approve a payment, or release confidential data is an identity event because it depends on who is believed, not just who is authenticated. Organisations that do not treat these decisions as governed transactions leave a structural gap attackers can repeatedly exploit.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- For the governance side of this problem, review NHI Lifecycle Management Guide for lifecycle controls that reduce trust in unmanaged access paths.
What this signals
BEC should be treated as a governance issue that exposes how weakly many organisations bind identity to business action. When a request can still move money or data purely because it looks legitimate, the programme has not reduced trust enough to resist social engineering.
Approval-path fragility: the real risk is not just email compromise, but the collapse of independent verification inside remote workflows. Teams should harden any process where a single message can trigger a high-impact decision, and align that work with NHI Lifecycle Management Guide where privileged or delegated access is involved.
According to The State of Secrets in AppSec, 43% of security professionals are already worried about AI systems learning sensitive patterns from codebases. That same pattern recognition problem reinforces why human-targeted fraud will keep evolving: attackers adapt to the organisation’s own communication habits faster than many controls adapt to the threat.
For practitioners
- Require out-of-band verification for high-risk requests Use a second trusted channel for payment changes, supplier updates, and urgent transfer requests. Do not accept reply-only approval flows for actions that move money or reveal sensitive information.
- Map and harden the business workflows BEC targets Inventory finance, HR, legal, and IT processes where authority can be impersonated. Add step-up validation for changes to bank details, wire instructions, account recovery, and privilege requests.
- Train staff to slow down under urgency cues Use scenario-based awareness that focuses on executive impersonation, vendor fraud, and emotional pressure. Reinforce that speed is not a control when the request is high impact.
- Align PAM and finance controls on approval integrity Make sure high-value transactions and privileged requests require verifiable approvers, tamper-resistant audit trails, and independent confirmation before execution.
Key takeaways
- Business email compromise succeeds by exploiting trust in ordinary workflow decisions, not by breaking core infrastructure security.
- The webinar’s figures show that BEC remains both common and expensive, which makes approval integrity a governance priority rather than an awareness-only issue.
- Teams should harden the decision points where money, access, or sensitive data can move on the basis of a convincing message alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | BEC depends on user susceptibility and poor decision discipline across workflows. |
| NIST SP 800-63 | Identity assurance matters when requests are impersonated through trusted channels. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust reduces implicit trust in requests that arrive through email or chat. |
Strengthen identity verification for approvals and step-up actions that affect money or access.
Key terms
- Business Email Compromise: A fraud pattern in which an attacker uses convincing email or message impersonation to manipulate a person into sending money, revealing data, or changing account details. The attack succeeds by abusing trust in business communication and approval habits rather than by exploiting software vulnerabilities.
- Out-of-band Verification: A confirmation step that happens through a separate trusted channel, such as a phone call or secure portal, instead of replying to the original message. It reduces the chance that a forged email or chat request can complete a high-risk action on its own.
- Approval Integrity: The degree to which a decision to move money, change access, or release information can be trusted as authentic and properly authorised. In practice, it depends on independent review, traceable approvers, and controls that prevent a single manipulated message from driving execution.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: the future of business email compromise in hybrid work. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
