Notifications
Clear all
Topic starter
27/06/2026 1:59 pm
TL;DR: Business Email Compromise caused $2.77 billion in losses in 2024 even as organisations invested heavily in secure email gateways and awareness training, according to Abnormal AI. Static rules and signatures are now too rigid for AI-generated impersonation and account takeover patterns, so behavioural baselines matter more than message filtering.
NHIMG editorial — based on content published by Abnormal AI: ABX: Built for Change in 2025
By the numbers:
- Business Email Compromise caused $2.77 billion in losses in 2024.
- In 2024, Business Email Compromise alone caused $2.77 billion in losses.
Questions worth separating out
Q: How should security teams detect business email compromise without relying on malware?
A: Security teams should use behavioural signals, not just malware indicators.
Q: Why do static email rules fail against AI-powered phishing?
A: Static rules fail because AI can vary tone, wording, timing, and structure faster than human teams can retune filters.
Q: What breaks when email security is separated from identity governance?
A: You miss the path from a suspicious message to a compromised identity and then to fraudulent business action.
Practitioner guidance
- Build behavioural baselines for vendors and finance contacts Model normal invoicing cadence, payment language, and thread history for each trusted counterparty so deviations are visible before payment instructions are changed.
- Correlate mailbox events with identity telemetry Link login geography, device changes, and session anomalies to email activity so account takeover is detected as a sequence, not a single alert.
- Treat malware-free phishing as an identity case Escalate credential phishing campaigns that lack a payload into identity review workflows because sandboxing cannot inspect intent when no malware is present.
What's in the full report
Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:
- Signal-by-signal explanation of the Abnormal Behavior Technology model across identity, context, and risk.
- Examples of vendor email compromise, account takeover, and credential phishing detections in cloud email environments.
- How the platform distinguishes malicious payment requests from legitimate but unusual business correspondence.
- Additional detail on how anomalies are evaluated across Microsoft 365, Google Workspace, and connected applications.
👉 Read Abnormal AI's 2025 report on behavioral detection for email compromise →
AI-powered email compromise: are your controls keeping up?
Explore further
27/06/2026 3:33 pm
Static email defenses are now a governance liability, not just a detection gap. This report reinforces that rules and signatures cannot adapt quickly enough to AI-generated impersonation and mailbox abuse. When attacker language, cadence, and context are produced at scale, the control problem shifts from message screening to identity and behavioural verification. Practitioners should treat legacy email filtering as only one layer in a broader identity security programme.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How should organisations respond when vendor impersonation targets payment workflows?
A: Organisations should require out-of-band verification for payment changes, new banking details, and account recovery requests. Those workflows need stronger approval logic because trusted email threads are a common abuse path. The practical objective is to stop a fraudulent request before it is converted into a financial transaction.
👉 Read our full editorial: AI-powered email compromise is outpacing static security controls
