Notifications
Clear all
Topic starter
27/06/2026 1:57 pm
TL;DR: Localized phishing and BEC attacks exploit language-specific cues such as informal German phrasing and wrong Japanese honorifics, exposing the limits of English-trained detection systems and translation-based AI, according to Abnormal AI. The real issue is that security models built for translation, not communication nuance, miss the cultural signals attackers use to appear authentic.
NHIMG editorial — based on content published by Abnormal AI: multilingual phishing detection and localised business email compromise
By the numbers:
- Abnormal has analysed communication patterns across more than 100 languages.
Questions worth separating out
Q: How should security teams handle phishing and BEC in multilingual environments?
A: Security teams should validate their email controls against real local-language attacks, not just translated English samples.
Q: Why do English-trained email filters miss localised phishing attempts?
A: English-trained filters miss localised attacks because malicious intent is often carried by cultural cues, not just keywords.
Q: How do organisations measure whether multilingual phishing controls are working?
A: Measure detection accuracy, false positives, and analyst review load separately for each major language group, then compare those results against known local attack patterns.
Practitioner guidance
- Test detection against local-language pretexts Run red-team and vendor validation using authentic German, Japanese, and other regional business phrasing, including honorific errors, informal tone, and supplier impersonation.
- Localise phishing simulations by business region Deliver awareness content in the employee’s native language and mirror the forms of impersonation they actually see, such as invoice scams, executive requests, and payment-update lures.
- Review the English bias in mail security tuning Check whether your current rules, models, and exception workflows were calibrated on English-only corpora or translation output.
What's in the full article
Abnormal AI’s full article covers the operational detail this post intentionally leaves for the source:
- Examples of the German and Japanese attack patterns the vendor used to refine detection models.
- Internal testing outcomes that compare post-upgrade accuracy across German, Japanese, and English.
- How Phishing Coach localises simulations and lessons for employees in their native languages.
- The vendor’s account of how multilingual embeddings replaced rule-based text tagging in its pipeline.
👉 Read Abnormal AI’s analysis of multilingual phishing detection and localised BEC →
Multilingual phishing detection: are your controls keeping up?
Explore further
27/06/2026 3:29 pm
Language-specific trust cues are now part of the identity attack surface. Multilingual phishing does not succeed because attackers simply translate English templates. It succeeds because they reproduce the tone, formality, and cultural markers that people use to judge legitimacy. That makes language a governance issue for IAM-adjacent programmes, not only a mail-security feature. Practitioners should treat local linguistic context as part of identity trust evaluation.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a useful reminder that identity blind spots usually start with incomplete control over connected access paths.
A question worth separating out:
Q: What should organisations include in native-language phishing awareness training?
A: They should include the scam motifs employees actually encounter, such as invoice fraud, supplier impersonation, executive requests, and login prompts written in local tone. Training should reflect the language, formality, and channel-shifting tactics used in real attacks. Generic templates leave users unprepared for the cues attackers rely on.
👉 Read our full editorial: Multilingual phishing detection still fails where language cues matter
