Notifications
Clear all
Topic starter
27/06/2026 2:01 pm
TL;DR: Business email compromise caused $2.8 billion in losses in 2024 and has reached $17.1 billion since 2015, while attack volume rose 54% year over year as generative AI makes fraudulent messages harder to spot, according to Abnormal AI and the FBI IC3 Internet Crime Report. Plain-text, legitimacy-based attacks now expose the limits of email gateways and training alone.
NHIMG editorial — based on content published by Abnormal AI: analysis of business email compromise, AI-generated fraud, and email defence gaps
By the numbers:
- Business email compromise caused $2.8 billion in losses in 2024 alone and $17.1 billion since 2015.
- BEC attack volume rose 54% between 2023 and 2024.
Questions worth separating out
Q: How should security teams reduce business email compromise without relying on employee judgment?
A: Security teams should combine identity signals, mailbox telemetry, and approval workflow controls so BEC is detected before a person has to decide whether the email is real.
Q: Why do secure email gateways miss modern business email compromise?
A: Secure email gateways were built to spot malicious links, attachments, and known spam patterns.
Q: What do organisations get wrong about BEC training programs?
A: They treat training as the primary detection layer instead of a backup control.
Practitioner guidance
- Instrument mailbox and identity signals together Correlate login anomalies, mailbox rule changes, sender behaviour, and approval workflow deviations so BEC detection is not dependent on message content alone.
- Add verification gates for high-risk requests Require out-of-band confirmation for wire transfers, payroll changes, vendor bank updates, and executive payment requests, especially when the communication path is unusual.
- Model normal business communication patterns Map who normally talks to whom, how often, and through which channels so anomalous requests can be flagged before employees act on them.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- The CISO-focused breakdown of how plain-text BEC bypasses secure email gateways in Microsoft 365 and Google Workspace.
- The behavioural AI and relationship-mapping signals the platform uses to flag anomalous requests before inbox delivery.
- The operational examples for wire fraud, invoice fraud, payroll diversion, and gift-card scams.
- The business case language and deployment framing for teams deciding whether to move from content filtering to context-aware detection.
👉 Read Abnormal AI's analysis of business email compromise and AI-driven fraud →
Business email compromise: what IAM teams need to do now?
Explore further
27/06/2026 3:36 pm
Business email compromise is an identity abuse problem before it is an email problem. The decisive failure is not delivery of a malicious payload, but the hijacking of trust relationships inside business workflows. That means the control boundary sits around identity, approval, and context, not just message inspection. Organisations that still treat BEC as a spam variant are defending the wrong layer, and that leaves finance, HR, and executive workflows exposed.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can teams decide when to verify a payment request outside email?
A: Teams should verify outside email whenever the request is high value, time pressured, unusual for the sender, or tied to bank details, payroll, or executive authority. The strongest rule is simple: if the request changes money or identity details, it deserves a second channel before execution.
👉 Read our full editorial: Business email compromise is outpacing legacy email defenses
