Notifications
Clear all
Topic starter
27/06/2026 1:18 pm
TL;DR: Business email compromise still works because attackers exploit human decision-making, and AI is making those social engineering campaigns more convincing and scalable, according to Abnormal AI. The defensive shift is away from fear-based awareness alone and toward behaviour-aware controls that reduce user exposure and improve detection.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce the risk of business email compromise?
A: They should focus on the business actions BEC is trying to trigger, not only the message itself.
Q: Why do AI-assisted phishing and BEC campaigns succeed more often?
A: They succeed because AI improves scale, targeting, and language quality at the same time.
Practitioner guidance
- Harden payment and account-change verification Require out-of-band validation for wire instructions, beneficiary changes, payroll updates, and bank detail edits so a single compromised conversation cannot complete the fraud path.
- Tune detection around human action sequences Correlate message timing, sender relationships, and the requested business action so suspicious requests are evaluated in context rather than by email content alone.
- Build a reporting culture that rewards pause-and-check behaviour Train users to escalate unusual requests quickly, and make it safe to question authority when a message asks for urgency, secrecy, or a last-minute process exception.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- The on-demand discussion with Mick Leach, Dr. Jessica Barker, and Mike Britton on the human psychology behind BEC
- Behavioural AI use cases for spotting convincing social engineering in real email traffic
- The webinar's framing of empathy-based security culture as a resilience control rather than a messaging exercise
- ISC2 CPE eligibility details for practitioners who want to claim continuing education credit
👉 Watch Abnormal AI's on-demand webinar on the human element of BEC →
BEC and human psychology: what should security teams change?
Explore further
27/06/2026 2:35 pm
Human psychology remains the primary control surface in BEC. The article is right to frame the problem around behaviour, because BEC succeeds when people override process under social pressure. Email security, MFA, and IAM controls matter, but they do not remove the human decision point that attackers are targeting. The implication is that identity programmes must treat judgement, verification, and exception handling as first-class security controls.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a BEC attempt turns into a fraudulent transfer?
A: Accountability usually spans finance, security, and the business owner of the process. The practical test is whether the organisation defined verification steps, trained users on exceptions, and enforced a clear stop point before money or access could be moved on trust alone.
👉 Read our full editorial: Human psychology is still the weak link in BEC defence
