Notifications
Clear all
Topic starter
27/06/2026 1:06 pm
TL;DR: AI-generated phishing, business email compromise, and other social engineering tactics are increasing in scale and realism across state and local agencies, according to Abnormal AI. Email remains the primary entry point, and behavioural detection is becoming more important because static defences cannot keep pace with rapidly adapting attack content.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should organisations reduce business email compromise risk when attackers use generative AI?
A: Organisations should stop relying on message quality as the main trust signal.
Q: Why do AI-generated phishing campaigns increase risk for public-sector agencies?
A: They reduce the visual and linguistic clues that users and filters once depended on, while fitting the language of agency work more convincingly.
Practitioner guidance
- Tighten verification for email-originated requests Require out-of-band confirmation for payment instructions, credential resets, bank detail changes, and procurement approvals that arrive by email.
- Correlate mail and identity telemetry Feed mailbox activity, login behaviour, and downstream workflow events into the same detection pipeline so suspicious email can be evaluated by what the recipient account does next.
- Tune detections for AI-written pretexts Refresh detection logic and phishing simulations to account for fluent, context-rich language with fewer grammar errors and more convincing executive tone.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Real-world examples of AI-generated email attacks against public-sector targets and the patterns they used.
- A behavioural detection walkthrough showing how anomalies are identified before users act on a deceptive message.
- Discussion of which threats are increasing in volume and complexity, useful for teams tuning detection priorities.
- ISC2 CPE eligibility and the form-based access flow for practitioners who need continuing-education credit.
👉 Watch Abnormal AI's on-demand webinar on AI-driven email attacks and behavioural defence →
AI-generated phishing and BEC in public agencies: are controls keeping up?
Explore further
27/06/2026 2:18 pm
AI-assisted email fraud is a human identity problem first, not an email filter problem. The article centres on phishing, BEC, and social engineering, all of which succeed by manipulating human trust and workflow dependence. That means the control gap is not only message detection but also how organisations authenticate intent when a request arrives by email. Practitioners should treat mailbox compromise and impersonation as identity events, not just messaging events.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.
A question worth separating out:
Q: Who should be accountable for stopping AI-driven email fraud in agencies?
A: Email security, IAM, fraud, and business process owners all share accountability because the attack crosses technical and organisational boundaries. The decisive control is whether sensitive actions require identity verification outside the inbox, not whether one team owns the entire problem.
👉 Read our full editorial: Generative AI is reshaping email attacks against public agencies
