BEC defence should be shared across email security, IAM, fraud, and finance operations. Email controls catch part of the problem, but identity and approval governance determine whether a fraudulent request becomes a real transaction. High-risk workflows need coordinated ownership, not isolated tooling.
Why This Matters for Security Teams
business email compromise is not just an email filtering problem. It is a cross-functional control failure that starts with impersonation and ends with an approved payment, changed bank detail, or exposed payroll record. Security teams often overestimate what mailbox protection can stop and underestimate how quickly fraud moves into identity, finance, and human approval paths. NHIMG’s 52 NHI Breaches Analysis shows how compromised identities and weak governance create compounding impact once an attacker gains a trusted foothold. The same pattern appears in broader compromise research and in Anthropic’s report on AI-orchestrated cyber espionage, where automation accelerates targeting and abuse.
Ownership matters because BEC defence fails when each team defends only its own slice. Email security can flag spoofing, IAM can protect accounts, and finance can validate payments, but none of those controls works alone when attackers blend social engineering with legitimate workflow abuse. In practice, many security teams encounter BEC only after a payment has already been redirected or a mailbox rule has quietly diverted replies.
How It Works in Practice
The most effective operating model is shared ownership with clear decision rights. Email security should handle detection, phishing resistance, and mailbox hardening. IAM should govern authentication strength, privileged access, conditional access, and account recovery. Finance operations should own payment verification, vendor change controls, and call-back procedures. Fraud or risk teams should define escalation thresholds and anomaly review. That structure reflects the reality that BEC is an identity-and-process attack, not merely a messaging threat.
Practically, teams reduce exposure by combining layered controls:
- Strong authentication and device-based access to reduce account takeover risk.
- Policy-based approval steps for bank detail changes, urgent payments, and gift card or payroll requests.
- Out-of-band verification for high-risk requests, especially when urgency, secrecy, or account change language appears.
- Mailbox rule monitoring and impossible-travel or unusual-session alerts to catch post-compromise abuse.
- Privileged workflow review so one compromised inbox cannot approve, redirect, and reconcile the same transaction chain.
This is where identity governance becomes as important as secure email. The Ultimate Guide to Non-Human Identities is useful here because the same control logic applies: the actor is only one part of the risk, while the surrounding authority model determines whether abuse succeeds. NIST’s Cybersecurity Framework also supports this shared-responsibility pattern through detection, response, and governance functions. These controls tend to break down in decentralised payment environments where local teams can override verification steps under deadline pressure.
Common Variations and Edge Cases
Tighter approval controls often increase friction, so organisations have to balance fraud resistance against business speed. That tradeoff is especially visible in procurement, payroll, executive support, and M&A activity, where legitimate urgency can look identical to attacker pressure. Current guidance suggests that there is no universal standard for who “owns” BEC end to end; mature programmes split operational control across email security, IAM, finance, and fraud while assigning a single accountable executive for coordination.
Two edge cases deserve attention. First, executive impersonation often bypasses normal review because staff assume senior requests are time-sensitive and confidential. Second, supply-chain fraud can originate outside the corporate email system altogether, through vendor portals, collaboration tools, or compromised identity providers. In those cases, ownership must extend beyond the mailbox to include third-party verification and payment authorization.
For a practical model, use email security for prevention, IAM for account integrity, and finance or fraud leadership for transaction approval policy. NIST’s identity and access guidance reinforces that access controls must be paired with process controls to reduce misuse. The controls become much weaker when finance workflows still accept email alone as sufficient proof of intent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | BEC ownership needs cross-functional governance and oversight. |
| NIST CSF 2.0 | PR.AA-03 | Strong authentication limits mailbox takeover and impersonation. |
| NIST CSF 2.0 | RS.MI-01 | BEC response requires coordinated containment and transaction hold actions. |
Assign one accountable owner for BEC oversight and align email, IAM, finance, and fraud controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
