BEC and internal impersonation: what changes as orgs scale?

TL;DR: Business email compromise is only 11% of attack volume but averages $123,005 per incident, according to the FBI IC3, and Abnormal AI’s 2026 Attack Landscape Report shows that internal impersonation and lateral compromise shift sharply as organizations grow. The data shows BEC risk is shaped less by volume than by identity structure and workflow credibility.

NHIMG editorial — based on content published by Abnormal AI: 2026 Attack Landscape Report findings on business email compromise and internal impersonation

By the numbers:

• Business email compromise represents roughly 11% of attacks by volume, but the average BEC incident costs a business $123,005, according to the FBI IC3.
• Employee impersonation is the most common internal impersonation tactic at 45.3%, while generic internal impersonation follows at 36.7%, according to Abnormal AI.
• Lateral BEC accounts for 23.2% of all BEC at large enterprises but only 0.24% at small organisations, according to Abnormal AI.

Questions worth separating out

Q: How should security teams reduce business email compromise in internal workflows?

A: Security teams should focus on the workflows attackers already mirror: payment approvals, credential resets, HR notices, and access requests.

Q: Why does business email compromise look different in large enterprises?

A: Large enterprises have more internal identities, more message volume, and more formal processes, so attackers move away from executive impersonation toward employee impersonation and compromised accounts.

Q: What breaks when a compromised internal mailbox is used for fraud?

A: The normal trust model breaks.

Practitioner guidance

• Map the identities most likely to be impersonated Identify which roles, functions, and named individuals are most credible to each recipient group, then tune verification rules for finance, IT, HR, and executive workflows accordingly.
• Add out-of-band checks to routine approval paths Require a separate confirmation step for payment changes, credential resets, access requests, and vendor payment instructions so a believable inbox message cannot complete the workflow alone.
• Treat mailbox compromise as privileged identity risk Escalate compromised internal accounts into incident response and identity review workflows, because authenticated internal mail can drive fraud faster than external phishing.

What's in the full report

Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:

• The report’s full tactic breakdown across internal impersonation, vendor email compromise, phishing, and workflow-tailored lures.
• Additional segmentation by organisation size, job function, and recipient role for practitioners comparing their own exposure.
• The broader second-half 2025 attack landscape context that places BEC in relation to other email attack patterns.
• The source article’s examples of how specific lures map to finance, IT, HR, and executive communication paths.

👉 Read Abnormal AI’s 2026 Attack Landscape Report on BEC and internal impersonation →

BEC and internal impersonation: what changes as orgs scale?

Explore further

View Full Forum →  |  NHI Foundation Course →