Notifications
Clear all
Topic starter
27/06/2026 1:25 pm
TL;DR: Business email compromise caused over $3 billion in reported losses in 2025, and attackers increasingly rely on executive impersonation, vendor spoofing, and conversation hijacking rather than malware, according to the FBI and Abnormal AI. Legacy secure email gateways are being outmaneuvered by identity-driven attacks that require behavioral context, not just payload scanning.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- In 2025 alone, organizations reported over $3 billion in losses due to business email compromise (BEC) to the FBI.
- Business email compromise caused over $3 billion in reported losses in 2025, according to the FBI and Abnormal AI.
Questions worth separating out
A: Organisations should combine technical detection with process controls that break the attacker’s ability to turn trust into action.
Q: Why do secure email gateways miss many BEC attacks?
A: Secure email gateways are strongest against known bad content, not socially engineered requests that use clean infrastructure and trusted language.
Practitioner guidance
- Map high-trust communication paths Identify the inboxes and workflows where a single convincing email can trigger payment, credential reset, or vendor-bank-change action.
- Add relationship-aware detection to mail controls Use behavioural signals such as thread history, sender-recipient patterns, request timing, and language shifts to supplement secure email gateway checks.
- Require out-of-band verification for payment changes Mandate a separate approval channel for banking detail changes, urgent transfers, and new beneficiary requests.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- A breakdown of why legacy secure email gateways fail against identity-driven impersonation patterns.
- Examples of the behavioural baselines used to distinguish normal from suspicious communication.
- The webinar's guidance on how AI can help detect BEC without relying on malware signatures.
- ISC2 CPE eligibility and the full credit-claim process for attendees.
👉 Watch Abnormal AI's webinar on why legacy email controls miss AI-powered BEC →
Business email compromise in 2025: are email controls keeping up?
Explore further
27/06/2026 2:46 pm
Business email compromise is now an identity abuse problem, not an email hygiene problem. The article is correct that legacy secure email gateways were built for payload-based threats, while modern BEC succeeds by exploiting trust relationships and communication context. That shift matters because the control failure is not just detection coverage, but the assumption that legitimacy can be inferred from message characteristics alone. Practitioners should treat trusted email exchange as an identity surface, not a transport channel.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Who should own business email compromise defence in the enterprise?
A: BEC defence should be shared across email security, IAM, fraud, and finance operations. Email controls catch part of the problem, but identity and approval governance determine whether a fraudulent request becomes a real transaction. High-risk workflows need coordinated ownership, not isolated tooling.
👉 Read our full editorial: AI-powered business email compromise is outpacing legacy email controls
