Notifications
Clear all
Topic starter
27/06/2026 1:13 pm
TL;DR: Business email compromise remains a high-loss attack pattern, with nearly 20,000 attacks averaging $120,000 each, as attackers exploit urgency, fear, and hybrid work conditions to bypass existing controls, according to Abnormal AI. The governance problem is not awareness, but identity and process design that still leaves human decision-making too exposed.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce business email compromise risk in hybrid work environments?
A: Security teams should remove email as the sole approval path for high-risk actions.
Q: Why do business email compromise attacks keep succeeding even when staff are aware of them?
A: BEC keeps succeeding because awareness does not equal verification.
Practitioner guidance
- Require out-of-band verification for high-risk requests Use a second trusted channel for payment changes, supplier updates, and urgent transfer requests.
- Map and harden the business workflows BEC targets Inventory finance, HR, legal, and IT processes where authority can be impersonated.
- Train staff to slow down under urgency cues Use scenario-based awareness that focuses on executive impersonation, vendor fraud, and emotional pressure.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Breakdown of the most prevalent BEC variants and the situations in which each one tends to succeed
- Discussion of how hybrid work conditions change the attacker’s window of opportunity across email and collaboration tools
- Practical examples of where existing security controls fail to stop a convincing fraud request
- Guidance from the webinar speakers on how organisations can adjust controls and response habits
👉 Watch Abnormal AI's webinar on the future of business email compromise →
Business email compromise in hybrid work: what controls are missing?
Explore further
27/06/2026 2:28 pm
BEC is a human identity governance failure before it is an email security problem. The attacker is not defeating cryptography or infrastructure first. They are defeating trust, authority, and exception handling in ordinary business workflows. That means the programme gap sits in identity assurance for high-risk decisions, especially where approvals and payments are handled remotely.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own BEC controls in an organisation?
A: BEC controls should be owned jointly by security, finance, IAM, and business process leaders. The attack crosses technical and operational boundaries, so accountability has to cover both message security and the approval workflow itself. If only one team owns it, attackers will keep using the gap between teams.
👉 Read our full editorial: Hybrid work is widening the business email compromise gap
