Notifications
Clear all
Topic starter
27/06/2026 1:20 pm
TL;DR: Cybercrime losses exceeded $10 billion in 2022, with investment fraud leading and business email compromise close behind, while AI is expected to push losses higher in the short term, according to Abnormal AI’s webinar briefing and Secret Service predictions. The signal for identity teams is that email compromise is now an identity and trust problem, not just a messaging problem.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Cybercrime losses reached more than $10 billion in 2022.
Questions worth separating out
Q: How should security teams reduce the risk of business email compromise?
A: Security teams should reduce BEC risk by tightening the business processes that email can trigger.
Q: Why does AI make fraud and BEC harder to stop?
A: AI makes fraud harder to stop because it improves message quality, scales personalisation, and reduces the obvious errors that once exposed scams.
Practitioner guidance
- Harden email-to-payment approval paths Require out-of-band confirmation for new vendor banking details, urgent transfers, and exception approvals that originate in email threads.
- Correlate identity and transaction signals Join mailbox telemetry, sign-in context, and payment workflow logs so suspicious requests can be assessed in the same investigation path.
- Review account recovery and help-desk controls Block recovery flows that accept email-only trust signals and add stronger verification for sensitive account changes.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- The Secret Service predictions for FBI 2023 cybercrime numbers and how they compare with 2022 losses.
- A closer look at how BEC has become more sophisticated in recent years, including the fraud behaviours behind it.
- Why investment fraud is driving loss totals and how that changes the threat model for practitioners.
- The on-demand webinar format and ISC2 CPE eligibility for teams that need training credit context.
👉 Read Abnormal AI's webinar on cybercrime losses, BEC, and AI-driven fraud →
Cybercrime losses and BEC: what identity teams should watch?
Explore further
27/06/2026 2:39 pm
BEC is now an identity assurance failure, not just an email threat. The important shift is that the attacker wins after authentication, by steering a trusted human into taking the wrong action. That places the problem squarely inside human identity governance, privileged workflow control, and account recovery design. Practitioners should treat inbox trust as part of the identity plane, not a separate communications issue.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should own BEC risk across IAM and finance?
A: BEC risk should be owned jointly by IAM, security operations, and finance because the attack chain crosses all three. IAM controls trust, security detects anomalies, and finance controls the final transfer or exception. Shared ownership is the only realistic way to close the handoff gaps.
👉 Read our full editorial: Cybercrime losses, BEC, and AI: why fraud losses keep climbing
