Notifications
Clear all
Topic starter
27/06/2026 2:05 pm
TL;DR: Attackers now use lookalike domains, generative AI, and phishing-as-a-service to fabricate multi-party email threads for trust-based fraud, including RFQ scams and payment diversion schemes that can bypass legacy secure email gateways, according to Abnormal AI. The deeper issue is that relationship-based deception now scales faster than human verification workflows can reliably catch.
NHIMG editorial — based on content published by Abnormal AI: key insights on multi-party email scams, RFQ fraud, and AI-powered detection
Questions worth separating out
Q: How should security teams verify payment requests that arrive through multi-party email threads?
A: Security teams should verify the transaction outside the email thread, using known contact paths, registered counterparty details, and pre-agreed payment instructions.
Q: Why do multi-party scams bypass traditional email security controls?
A: They bypass traditional controls because the message content is often clean, professional, and contextually plausible.
Q: How can organisations measure whether their fraud controls are catching relationship-based attacks?
A: Measure how often suspicious requests are flagged before any payment, shipment, or account change occurs, and whether those flags were based on identity, domain, or conversation anomalies.
Practitioner guidance
- Require transaction provenance checks before payment release Confirm that the sender domain, counterpart identity, and request path all match known records before releasing funds or changing banking details.
- Add relationship baselines to fraud monitoring Track first-time correspondents, unexpected domain registrations, new email applications, and unusual thread structures as fraud indicators across finance and operations.
- Train frontline teams on missing-details manipulation Teach staff not to supply process fragments such as payment instruction formats, approval language, or workflow wording to unverified contacts.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- The full RFQ fraud walkthrough with transaction-specific indicators that helped expose the scam before shipment.
- Conversation-by-conversation breakdown of how the fake legal and finance identities were stitched together.
- The platform’s detection logic for domain age, sender novelty, and abnormal thread structure.
- Examples of the exact behavioural signals used to flag payment diversion attempts in real time.
👉 Read Abnormal AI's analysis of multi-party email fraud and RFQ scams →
Multi-party email scams: what IAM and security teams are missing?
Explore further
27/06/2026 3:41 pm
Multi-party fraud is an identity problem disguised as email abuse. The article shows that attackers are no longer relying on one spoofed sender or one malicious link. They are constructing believable business relationships across multiple fake identities, which means the control failure sits in trust validation, not just message inspection. The practitioner implication is that relationship provenance must be treated as part of identity governance.
A few things that frame the scale:
- From our research: 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same report.
A question worth separating out:
Q: Who should own response when an email thread appears to be a fabricated business relationship?
A: Ownership should sit with finance, operations, and security together, because the risk is both fraudulent communication and fraudulent transaction authority. Security should investigate identity and domain provenance, while the business owner should stop the transaction until the counterpart can be verified through an independent channel.
👉 Read our full editorial: Multi-party email scams expose the limits of email security
