Notifications
Clear all
Topic starter
27/06/2026 1:17 pm
TL;DR: Email security is increasingly a behavioural problem, with attackers using phishing, business email compromise, and AI-powered tactics to exploit the human element, according to Abnormal AI. That means resilience now depends on combining user education with technology rather than treating awareness as a separate programme.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce the impact of phishing and BEC on human users?
A: Combine user education with technical controls that limit what a mistaken click or reply can do.
Q: Why do AI-powered email attacks create more risk for identity programmes?
A: They reduce the time defenders have to spot and respond to social engineering because attackers can generate many tailored messages quickly.
Practitioner guidance
- Tie awareness to measurable behaviours Track reporting rates, click-through on simulated lures, and repeat susceptibility by business unit so training is based on observed behaviour, not attendance.
- Harden mailbox and payment workflows Restrict automatic forwarding, verify changes to payment instructions out of band, and require stronger approval for high-risk requests that arrive by email.
- Reduce the blast radius of human error Apply step-up authentication, conditional access, and least-privilege mailbox permissions so one compromised inbox cannot quickly become organisation-wide access.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Speaker discussion of how phishing and BEC tactics are changing with AI-assisted message generation
- Examples of how organisations combine user education with defensive tooling in day-to-day operations
- The webinar framing behind the people problem and how the speakers connect behaviour to security outcomes
- ISC2 CPE eligibility details and access to the on-demand session after form submission
👉 Watch Abnormal AI's webinar on the people problem in email security →
Phishing and BEC: what email security teams are missing?
Explore further
27/06/2026 2:35 pm
Human behaviour is now part of the email attack surface. Phishing and BEC do not simply exploit weak filtering, they exploit how people decide under pressure. That means email security is an identity problem as much as a content problem, because the human user is the control boundary the attacker is trying to bypass. The practitioner conclusion is that human judgment must be treated as a governed security control, not an informal last line of defence.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: How do email security, IAM, and security awareness fit together in practice?
A: They converge at the point where a person decides whether to trust a message, approve a request, or reveal information. IAM provides identity verification and access control, security awareness shapes decision-making, and email security limits attacker reach. Together they reduce the chance that human trust becomes an entry point.
👉 Read our full editorial: Human behavior now drives the email security problem
