Phishing, account takeover, and vendor compromise: what teams need

TL;DR: IBM’s Cost of a Data Breach Report 2025 says phishing again leads breach entry at 16% of incidents, with average costs of $4.8 million and 254 days to detect and contain, while generative AI cuts phishing email creation from 16 hours to 5 minutes according to Abnormal AI. The lesson is that behaviour-driven detection and faster containment now matter more than static email filtering alone.

NHIMG editorial — based on content published by Abnormal AI: IBM Cost of a Data Breach Report 2025 analysis

By the numbers:

• Phishing is again the most common initial attack vector, accounting for 16% of incidents analyzed.
• Generative AI has reduced the time to write a convincing phishing email from as long as 16 hours to just 5 minutes.
• Breaches identified and contained in under 200 days averaged $3.87 million, while those that lingered past 200 days cost $5.01 million.

Questions worth separating out

Q: How should security teams reduce phishing risk without relying only on awareness training?

A: They should combine user training with behavioural detection, vendor verification, and tighter controls on high-risk identity actions.

Q: Why do phishing and account takeover keep driving expensive breaches?

A: Because attackers use trusted identities to bypass suspicion and then abuse the resulting access for financial fraud, data theft, or persistence.

Q: How can organisations tell whether their phishing controls are actually working?

A: Look at containment speed, identity revocation speed, and whether suspicious messages are being linked to downstream workflow abuse.

Practitioner guidance

• Correlate mailbox behaviour with identity context Flag unusual sender patterns, travel context, payment changes, and relationship drift together so suspicious requests can be reviewed before approval or forwarding becomes a breach path.
• Tighten controls around vendor-facing workflows Require step-up checks for payment changes, bank detail updates, and vendor contact changes, especially where a trusted mailbox could be used to impersonate a supplier.
• Measure identity misuse containment speed Track time from first suspicious message to mailbox lockdown, token revocation, and vendor verification so response latency becomes a managed risk indicator.

What's in the full article

Abnormal AI’s full analysis covers the operational detail this post intentionally leaves for the source:

• The IBM metric breakdown by breach type, including cost and containment comparisons across phishing, vendor compromise, and account takeover.
• The behavioural detection logic Abnormal AI uses to distinguish normal from suspicious email patterns in cloud environments.
• The specific implications of generative AI for personalised phishing volume, response automation, and defender workflow design.
• The vendor’s interpretation of how email behaviour analysis fits into broader security lifecycle operations.

👉 Read Abnormal AI’s analysis of IBM’s 2025 breach findings on AI-driven phishing →

Phishing, account takeover, and vendor compromise: what teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →