Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Business email compromise is still beating traditional email controls


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Business email compromise has driven more than US$55 billion in attempted or actual losses across over 300,000 attacks since 2013, and attackers now combine compromised accounts, thread hijacking, and AI-generated social engineering to bypass content filters, according to Proofpoint. The problem is no longer email filtering alone, but trust, identity, and workflow abuse that conventional controls were never built to stop.

NHIMG editorial — based on content published by Proofpoint: business email compromise attacks and how they bypass traditional email security

By the numbers:

Questions worth separating out

Q: What breaks when business email compromise is not controlled at the identity layer?

A: When BEC is handled only as an email-filtering problem, attackers can still use compromised accounts, hijacked threads, and legitimate-looking requests to move money or extract data.

Q: Why do compromised mailboxes create so much downstream risk?

A: Compromised mailboxes are dangerous because they already sit inside trusted workflows.

Q: How do security teams know whether BEC controls are actually working?

A: Look for fewer successful fraudulent approvals, faster reporting of suspicious requests, and lower dependence on email content alone for decision-making.

Practitioner guidance

  • Map high-risk communication flows Identify the email-driven processes that can move money, change banking details, or release sensitive information without a second approval path.
  • Harden mailbox and account monitoring Alert on suspicious inbox rules, impossible travel, unusual sending volume, and changes in conversation patterns that indicate account abuse.
  • Require out-of-band verification for payment changes Use dual approval and callback verification for bank detail updates, invoice exceptions, and urgent transfer requests.

What's in the full article

Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:

  • How Proofpoint's detection logic separates normal business communication from abnormal request behaviour in cloud email platforms
  • Examples of the behavioural signals used to identify compromised accounts, thread hijacking, and suspicious mailbox activity
  • The role-specific training scenarios and verification patterns the source recommends for finance, HR, and executive workflows
  • How the vendor positions API-based and secure email gateway deployment options for different environments

👉 Read Proofpoint's analysis of business email compromise and identity abuse →

Business email compromise is still beating traditional email controls?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

BEC is an identity abuse problem before it is an email problem. The article correctly shows that modern BEC succeeds when a trusted account, a trusted thread, or a trusted vendor relationship is reused against the business. That shifts the governance question toward identity assurance, mailbox access monitoring, and approval integrity rather than message filtering alone. Practitioners should treat BEC as part of identity governance, not just secure email.

A question worth separating out:

Q: Who is accountable when a BEC attack succeeds through a trusted mailbox?

A: Accountability sits across email security, identity governance, and the business process that approved the action. If the organisation allowed a payment or account change to proceed without secondary verification, the failure is not only technical. Teams need a defined owner for mailbox compromise response, workflow verification, and fraud escalation before the attack reaches completion.

👉 Read our full editorial: Business email compromise is exploiting trust and process gaps



   
ReplyQuote
Share: