Notifications
Clear all
Topic starter
27/06/2026 1:51 pm
TL;DR: Multi-stage QR phishing, thread-spoofed vendor impersonation, and AI-generated payroll fraud are increasingly bypassing legacy email controls by mimicking normal workflows, adding personalization, and exploiting human trust, according to Abnormal AI. The security problem is no longer just malicious content, but context-aware deception that static indicators miss.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on emerging email attack patterns and payroll fraud
By the numbers:
- Multi-stage QR code phishing attacks leverage a variety of pretexts, and at one point fraudulent multi-factor authentication expiration notices and shared document notifications accounted for nearly 50% of all QR code attacks detected by Abnormal.
Questions worth separating out
Q: How should security teams defend against multi-stage QR code phishing?
A: Security teams should detect the sequence, not just the destination.
Q: Why do email-based vendor payment scams still work in mature organisations?
A: They work because they imitate normal business process, not because they are technically sophisticated.
Q: What do security teams get wrong about AI-generated payroll fraud?
A: They focus on malicious content and miss process abuse.
Practitioner guidance
- Treat email as a workflow entry point Map which business processes can be advanced by email alone, including vendor payment changes, payroll updates, and credential verification.
- Require out-of-band verification for payment changes Force vendor bank-detail changes, invoice corrections, and W-9 submissions through a separate verification step that does not rely on the original thread.
- Move HR and payroll updates out of email-only trust paths Use a separate authenticated workflow for direct deposit changes and employee identity updates.
What's in the full article
Abnormal AI's full report covers the operational detail this post intentionally leaves for the source:
- Real attack thread examples showing how the QR-code workflow, vendor impersonation, and payroll fraud variants were constructed.
- The report's breakdown of pretexts, domain lookalikes, and personalization signals that help the attacker appear legitimate.
- Additional examples of 2025 attacks Abnormal customers received, useful for teams comparing this pattern against their own mail telemetry.
- The forecasted attack themes for 2026 that help security leaders prioritize detection tuning and user-facing controls.
👉 Read Abnormal AI's outlook on emerging email attack patterns and payroll fraud →
Email phishing is getting more contextual, but are controls keeping up?
Explore further
27/06/2026 3:21 pm
Email has become an identity workflow abuse surface, not just a phishing channel. The article shows attackers exploiting the exact places where identity decisions are made: credential entry, vendor approval, and payroll change handling. That means the security problem is not simply message filtering. It is the misuse of legitimate business processes as trust accelerators, which weakens both human IAM and the operational controls that sit around it.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 52 NHI breach case studies in The 52 NHI breaches Report show that exposed credentials and over-broad access routinely turn routine workflows into breach paths.
A question worth separating out:
Q: How can organisations reduce the risk of phishing in business workflows?
A: Separate notification from authorization. Email can alert people that something needs attention, but sensitive actions such as bank-detail changes, identity updates, and credential verification should require a different authenticated channel. That keeps trust from being transferred automatically from the message to the transaction.
👉 Read our full editorial: Email threats are bypassing legacy controls through human trust
