Notifications
Clear all
Topic starter
27/06/2026 1:29 pm
TL;DR: Attackers are using generative AI to create convincing, payload-less business email compromise messages that evade traditional tools by mimicking tone, urgency, and trusted relationships, according to Abnormal AI. The operational lesson is clear: identity and behavioral context now matter as much as link-based detection when fraud arrives without malware.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams defend against AI-generated business email compromise?
A: Security teams should combine identity-aware email controls with independent verification for money movement and account changes.
Q: Why do traditional email security tools miss payload-less BEC attacks?
A: Traditional tools are built to detect malware, links, and known infrastructure.
Practitioner guidance
- Harden payment and payroll verification paths Require an out-of-band confirmation step for any high-risk transfer, bank detail change, or payroll update, and make the verifier independent of the requester.
- Monitor relationship anomalies, not just malicious content Tune detections to changes in sender-recipient history, message urgency, payment language, and vendor communication patterns.
- Treat vendor accounts as identity-sensitive trust edges Review which third-party mailboxes, portals, and delegated workflows can trigger internal action.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Walkthrough of real AI-assisted BEC attacks involving vendor compromise, payroll fraud, and internal account takeovers.
- Examples of how behavioural analysis flags unusual tone, urgency, and relationship patterns that static tools miss.
- Practical detection cues for lookalike domains and payload-less messages in finance and procurement workflows.
- Context from the on-demand session on where conventional phishing controls break down in AI-shaped fraud.
👉 Watch Abnormal AI's on-demand webinar on AI-powered business email compromise →
AI-powered BEC: what is changing for fraud and IAM teams?
Explore further
27/06/2026 2:50 pm
Business email compromise is becoming an identity problem, not just a mail-filter problem. AI makes it cheaper to mimic tone, imitate urgency, and tailor a message to a target’s environment. That means the security question is increasingly whether an identity relationship looks plausible, not whether a message contains malware. Practitioners should treat BEC as trust abuse across human, vendor, and finance workflows.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should own response when AI-assisted fraud targets finance workflows?
A: Ownership should sit across security, IAM, finance, procurement, and legal, because the attack crosses identity, communications, and payment approval boundaries. A single team cannot fully contain the problem. The key is a shared escalation path with clear authority to halt suspicious transactions before completion.
👉 Read our full editorial: AI-powered business email compromise is outpacing traditional defenses
