They test whether employees will act on a fraudulent request inside a real business workflow, which is where many identity and approval failures surface. IAM programmes should care because those attacks exploit trust, not just email hygiene. Simulations that mirror actual approval paths expose process weaknesses that generic phishing templates miss.
Why This Matters for Security Teams
BEC and vendor fraud simulations matter because they test whether identity controls hold up when a request looks legitimate, urgent, and embedded in a normal business process. That is a different failure mode than spam or generic phishing. The real risk is not the inbox alone, but the combination of trust, approval authority, and weak verification. NIST Cybersecurity Framework 2.0 frames this as an identity and access governance problem, not just an awareness issue.
For IAM programmes, these exercises reveal where role design, approval routing, and exception handling create openings for fraud. They also expose whether people can distinguish a real change request from a convincing impersonation of finance, procurement, legal, or a supplier contact. In NHIMG research, the Ultimate Guide to NHIs shows how weak identity hygiene compounds breach impact, and that same pattern applies when human approvals are exploited inside workflows.
In practice, many security teams discover the control gap only after a fake invoice, bank-change request, or supplier escalation has already moved through a real approval path.
How It Works in Practice
The most useful simulations mirror actual business operations, not generic email lures. A strong scenario may start with a spoofed vendor message, then test whether the recipient uses the approved verification path before changing payment details, releasing credentials, or approving a purchase. The goal is to observe whether identity proofing, callback procedures, dual approval, and segregation of duties are applied under pressure.
Security and IAM teams should map simulations to the exact control points that a fraud actor would target. That includes directory lookups, help desk resets, delegated approvers, supplier onboarding, and shared mailbox workflows. When the simulation shows an employee bypassing process because the request appears to come from a senior executive, the issue is not awareness alone. It is that the identity system allows trust to be transferred too easily across roles and channels.
- Use realistic sender, supplier, and approver personas aligned to active business processes.
- Measure whether staff verify identity through a known out-of-band method.
- Test whether step-up approval is triggered for payment, credential, or banking changes.
- Track whether exceptions are logged and reviewed, not just whether a user clicked.
Current guidance suggests pairing these simulations with control validation, because the real objective is to find where IAM policy, workflow design, and human judgment diverge. NHIMG data on the 2024 Non-Human Identity Security Report shows that organisations often lag in identity maturity, which matters when fraudulent requests reach systems that already rely on brittle approvals and inconsistent verification. These controls tend to break down in decentralised procurement environments because local exceptions override central approval logic.
Common Variations and Edge Cases
Tighter verification often increases operational friction, so organisations must balance fraud resistance against business speed. That tradeoff is real, especially where procurement, treasury, or executive support teams handle time-sensitive requests. Best practice is evolving, but current guidance favours risk-based checks rather than forcing every transaction through the same high-friction process.
Some programmes broaden these exercises to include help desk social engineering, supplier onboarding, or even internal identity resets. Others limit them to payment fraud only. The right scope depends on where authority can be abused. If a requester can influence bank details, MFA reset flows, or delegated access, the simulation should cover that path. If not, the exercise may miss the real exposure.
This also intersects with broader identity governance. The Azure Key Vault privilege escalation exposure research illustrates how access paths can be abused when trust is assumed too broadly, and the same lesson applies to human approval chains. Teams that stop at awareness scores often miss the process weakness that allowed the fraudulent request to look valid in the first place.
Where third parties, shared inboxes, or outsourced finance operations are involved, simulations can become less reliable unless ownership and verification responsibilities are explicitly defined.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-03 | Fraud simulations validate whether identities are verified before sensitive actions. |
| OWASP Non-Human Identity Top 10 | NHI-08 | Exposes weak workflow controls that let trusted requests bypass identity checks. |
| NIST AI RMF | Governance and monitoring principles support risk-based fraud testing of identity workflows. |
Map business approvals to NHI-style trust boundaries and remove implicit trust from high-risk actions.
Related resources from NHI Mgmt Group
- Why does vendor delivery footprint matter to IAM and identity governance programmes?
- What breaks when organisations rely on static vendor lists for fraud prevention?
- Why does identity matter more when vulnerabilities are discovered faster than they can be patched?
- What is LLMjacking in an IAM context?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
