They succeed because many organisations still treat routine communication as proof of authority. Attackers exploit that assumption by mimicking vendors, replaying familiar threads, or inserting themselves into approval chains. The weakness is usually the business workflow, not the mailbox itself.
Why This Matters for Security Teams
business email compromise works because it targets trust, process, and timing, not just inbox controls. Even mature organisations can miss the fact that a convincing sender, familiar thread, or urgent payment request can bypass human judgment faster than technical alarms can fire. NHI Management Group’s 52 NHI Breaches Analysis shows how often identity misuse turns into business impact once credentials or approval paths are abused.
The practical failure is that many defences still assume email authentication equals legitimate intent. That is not enough when attackers use vendor impersonation, mailbox rules, reply-chain hijacking, or compromised accounts to create a plausible business event. Guidance from CISA cyber threat advisories consistently points to identity abuse and social engineering as recurring themes in real incidents. In practice, many security teams encounter BEC only after payment diversion or payroll fraud has already been approved, rather than through intentional detection of workflow abuse.
How It Works in Practice
Successful BEC campaigns usually blend identity compromise with process manipulation. Attackers may register lookalike domains, compromise a real mailbox, or hijack an existing thread so the request appears to come from a trusted relationship. They then choose moments when finance, HR, or procurement teams are most likely to act quickly, such as invoice runs, payroll changes, or urgent supplier updates.
Defence works best when it treats the workflow as the control surface. That means verifying high-risk requests out of band, enforcing dual approval for payment or banking changes, and separating routine correspondence from authority to act. Teams should also watch for mailbox-rule creation, unusual forwarding, impossible travel, and changes in payment instructions. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks and Top 10 NHI Issues both reinforce that identity misuse becomes damaging when standing access and weak validation meet business urgency.
Security teams should also align email controls with identity governance, not treat them as separate problems. That includes tightening privileged mailbox access, restricting auto-forwarding, and using conditional policies for account takeover signals. The strongest programmes pair technical detection with business process friction where fraud would be expensive. These controls tend to break down when approvals depend on informal chat, shared inboxes, or last-minute exceptions because attackers can exploit ambiguity faster than escalation paths can respond.
Common Variations and Edge Cases
Tighter approval controls often increase operational friction, requiring organisations to balance fraud reduction against speed and user inconvenience. That tradeoff is real, especially in sales-led businesses, distributed finance teams, and contractor-heavy environments where urgent exceptions are common. Current guidance suggests that the right answer is not to remove friction entirely, but to place it only where money, banking, or authority changes hands.
Some BEC cases are more subtle than invoice fraud. In executive impersonation, the attacker may ask for gift cards, wire transfers, or confidential files instead of a direct payment. In supplier fraud, the message may request a bank detail update that looks routine. In payroll diversion, the target is often HR rather than finance. The pattern can also involve compromised non-human identities, such as shared service accounts or automated notification systems, which create believable message chains that appear operationally normal.
There is no universal standard for this yet, but best practice is evolving toward layered validation, phishing-resistant authentication, and stronger business process assurance. Where available, cross-check suspicious requests against known supplier master data and recent transaction history, and treat any communication that asks for secrecy, urgency, or exception handling as a risk signal. For broader context on compromise patterns, the Ultimate Guide to NHIs — Why NHI Security Matters Now is a useful reference point. The model breaks down most often in decentralised organisations where email, chat, and finance approvals are loosely governed and no single team owns the end-to-end fraud path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | BEC succeeds when identity trust is overextended across email and approvals. |
| NIST CSF 2.0 | DE.CM-1 | Mailbox-rule abuse and anomalous access are common BEC indicators. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised service accounts and shared identities can enable believable BEC chains. |
Inventory non-human identities and remove unnecessary standing access that can be abused in fraud.
Related resources from NHI Mgmt Group
- How should organisations reduce business email compromise risk when attackers use generative AI?
- How should organisations reduce business email compromise risk without relying only on awareness training?
- Why do poisoned tenant attacks work even when email authentication passes?
- How can organisations reduce the identity impact of email compromise?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
