2025 Business Email Compromise & Phishing Reality Report
What Was Predicted in 2025. What Actually Happened. What Must Change in 2026.
Purpose Statement:
This report exists to distinguish signal from narrative in BEC and phishing for Jan 1 – Dec 31, 2025, and to provide decision‑grade clarity on what must be engineered differently in 2026 to actually reduce loss, not just detect email.
1. BLUF / Executive Reality Summary
1.1 One‑Page Reality Snapshot
Hard truths for 2025 BEC & phishing:
- BEC remained the highest‑impact fraud channel by dollars lost, while ranking far lower by volume, proving that “most common” is not the same as “most damaging.”
- Phishing volume stayed at or above one million attacks per quarter, but attacker ROI came increasingly from fewer, more targeted BEC and pretexting flows, not generic spray‑and‑pray.
- Identity abuse (credentials, cookies, device fingerprints) outpaced classic payload‑based malware as the primary enabler for BEC and account‑takeover style fraud.
- BEC campaigns shifted further from “credential theft then login” to “direct payment manipulation and dual‑channel social engineering,” compressing time‑to‑impact and sidestepping traditional email controls.
- Gen‑AI did not create a new class of BEC attacks; it scaled pretext quality and volume, especially long‑form, multi‑persona impersonation, but the core mechanics stayed the same.
- Vendor and executive focus on “phishing click rates” and “reported phish” remained largely detached from actual loss, while median BEC incident losses and wire‑request amounts continued to climb.
- Most architectures still trusted identities and email accounts as ground truth; very few enforced hard runtime constraints on money movement or control‑plane changes, so prevention routinely failed even when email detections “worked.”
Reality Summary: detection of email events improved at the edge, but architectural control over high‑value actions (payments, admin changes, data movements) did not, so losses persisted or rose.
1.2 Last Year’s Predictions vs Reality (Scorecard)
Top claims below are extracted from the CSI 2024 BEC & phishing piece you referenced plus dominant 2024 industry narratives, then scored against 2025 evidence.
| Prediction (2024 → 2025) | Widely Claimed By | Outcome (2025) | Accuracy | Example Evidence |
|---|---|---|---|---|
| BEC will remain one of the costliest cybercrimes by dollar loss | Industry + CSI | BEC generated ~2.7–2.8B USD reported losses in 2024 and remained near‑top for losses heading into 2025. | Accurate | FBI IC3, APWG |
| Phishing volume will remain at or above ~1M attacks per quarter | Industry | APWG tracked >1M phishing attacks per quarter, with ~1.13M in Q2 2025. | Accurate | APWG |
| Credential theft will remain the dominant initial objective of phishing | Industry | Majority of phishing targeted organizational resources via credential theft and fake billing in early 2025. | Partially accurate | Hoxhunt |
| BEC techniques will pivot toward higher average transaction values rather than more volume | CSI + Tier‑2 vendors | Average BEC wire request amounts nearly doubled Q1→Q2 2025; per‑incident losses remain very high. | Accurate | APWG/Fortra |
| AI/Gen‑AI will dramatically change BEC mechanics | Industry | AI mainly improved email quality/length, but core mechanics (pretexting, account abuse, wire fraud) stayed constant. | Narratively useful but technically false | |
| SMS, messaging, and multi‑channel lures will grow as key BEC enablers | Emerging vendors | BEC increasingly used SMS and messaging; SMS was ~66% of BEC lures in one dataset, WhatsApp heavily used. | Accurate | LevelBlue |
| Detection and awareness training will significantly reduce BEC losses | Industry | BEC complaints and losses remained very high; identity‑related incidents hit 91% of orgs despite training. | Narratively useful but technically false | |
| Account takeover and vendor email compromise will outpace simple spoofed‑domain fraud | CSI + Tier‑2 vendors | Vendor email compromise grew sharply in prior years and continued as a primary pattern into 2025. | Accurate | Hoxhunt/others |
Why predictions failed or succeeded:
- Predictions tied to attacker economics (follow the money, fewer but larger frauds) held.
- Predictions tied to tooling (training, more detections) overestimated their ability to change outcomes because they did not alter execution physics or identity‑level constraints.
1.3 What Executives Must Know (Decision Lens)
What changed materially in 2025:
- Median and mean dollar amounts requested in BEC wire fraud climbed sharply, and targeted, high‑value BEC became even more economically attractive than ransomware for many actors.
- BEC increasingly used dual‑channel (email + SMS/messaging) flows to move victims off instrumented channels and away from email filters.
- Identity exposure exploded in volume and richness; most organizations now have extensive credentials, cookies, and device data circulating in criminal ecosystems.
What did not change despite noise:
- BEC remained largely an identity and business‑process abuse problem, not a “malware” problem.
- Classic phishing metrics (click rate, training completion, reported phish counts) still did not correlate reliably with loss.
- Email‑only defenses remained insufficient where money movement and admin actions were not architecturally constrained.
What is now irreversible:
- You must assume your users’ identities and devices are already compromised at scale, with 12x more records exposed than legacy checks see.
- Attackers have a durable, growing reservoir of identity data; they no longer need broad phishing to collect credentials, and can instead optimize for higher‑value pretexting and fraud.
- The attack surface has shifted from “inbox” to “workflow”: payment approvals, vendor onboarding, payroll changes, and admin role grants.
What executives must decide differently this year:
- Stop treating BEC and phishing as awareness‑and‑email problems; treat them as identity‑and‑workflow control problems.
- Fund runtime constraints on high‑value actions, even for “valid” users, instead of more training and dashboards.
- Tie KPIs to loss reduction and prevented actions, not to email detection volume or training scores.
2. The Narrative vs The Reality
2.1 The Surface Narrative (2025)
Dominant 2025 narratives around BEC and phishing looked like this:
- “Phishing is still the number one attack vector,” often citing that phishing/spoofing is the most reported crime to FBI IC3 by volume.
- “Human error is responsible for 60% (or more) of breaches,” leaning on the Verizon DBIR human‑element statistic.
- “BEC is growing but can be mitigated with awareness training, improved email security, and better reporting programs.”
- “AI‑powered phishing is a fundamentally new threat that makes all users vulnerable,” emphasizing Gen‑AI email quality and language.
- “More detections and shorter response times equal better security,” measured via email blocks, phishing simulations, and incident MTTR.
These narratives concentrated on inbox‑level events and user behavior, not on the actual mechanics of money movement, account changes, or identity abuse across channels.
2.2 The Underlying Reality
Execution‑level reality in 2025:
- BEC was not the most common complaint, but it remained near‑top in terms of aggregate losses, with multi‑billion‑dollar annual impact.
- Attackers optimized their business model: rather than high‑volume email sprays, they used higher‑quality pretexts, vendor email compromise, and dual‑channel lures to drive larger, more reliable payouts.
- Identity abuse shifted from just passwords to a mesh of stolen credentials, cookies, and device fingerprints, enabling highly convincing logins and fraud even when passwords were changed.
- A large majority of organizations experienced identity‑related incidents, showing that “human error” is a misleading simplification; the real issue is systemic credential and session exposure coupled with weak runtime controls.
- BEC losses persisted even when phishing awareness and email filtering metrics improved, demonstrating that detection‑first approaches failed the Law of Physics: they allowed the harmful action to remain architecturally possible.
Attacker economics:
- Phishing kits and PhaaS lowered the cost of campaigns while maintaining high volume.
- Rising average wire amounts (e.g., ~97% QoQ increase in one dataset) meant fewer successful incidents could generate the same or more revenue.
- Vendor email compromise and payroll diversion attacks continued to exploit trusted relationships and predictable workflows, not technical exploits.
3. Engineering Truth: How the Attacks Actually Worked
3.1 Dominant Attack Mechanics (Flows)
Below are representative 2025‑style flows; variations exist, but the architecture failures are consistent.
Flow A — Classic Executive BEC with Dual‑Channel Pivot
Entry:
An attacker uses stolen credentials or a convincing spoof/typo‑domain email to impersonate an executive, often supported by background data from prior breaches and identity dumps.
The initial email is often a short “request for contact” or urgency‑laden message that moves the conversation to SMS or messaging apps like WhatsApp, where corporate controls are weak.
Escalation:
On the less monitored channel, the attacker deepens the pretext (e.g., confidential acquisition, urgent vendor dispute) and instructs a finance or operations employee to update payment instructions or process a wire.
The employee, seeing consistent identity cues (name, role, phone number spoofed, references to real vendors), initiates a payment or changes banking details in ERP/AP systems.
Impact:
Funds move to attacker‑controlled accounts; recovery is difficult or impossible given cross‑border movement and mule networks.
No endpoint malware or traditional exploit is required; the entire success depends on identity trust and process weakness rather than email detection failure.
Flow B — Vendor Email Compromise → Invoice Fraud
Entry:
A supplier’s mailbox or SaaS account is compromised via password reuse, infostealer data, or phishing.
The attacker silently monitors threads and financial workflows for weeks, learning invoice patterns and approval timing.
Escalation:
At the right moment, the attacker replies in‑thread with a modified invoice or new banking details, often cloning formatting and tone exactly.
Because the email originates from a legitimate vendor account and references real work and POs, it passes most technical and human checks.
Impact:
Payment is redirected to attacker accounts, sometimes repeatedly before detection.
The victim’s email security product can show “no malicious content,” and phishing training is irrelevant—this is an abuse of a trusted account within a normal workflow.
Flow C — Credential/Session Abuse → SaaS Control‑Plane Changes → Follow‑on BEC
Entry:
Attackers obtain SaaS or IdP credentials, cookies, or device fingerprints from large identity dumps or infostealers, with users frequently reusing passwords.
Attackers log into email, CRM, or ERP systems using valid sessions, often bypassing basic MFA via stolen cookies or weak recovery flows.
Escalation:
Inside the account, attackers modify forwarding rules, create hidden inbox rules, or adjust notification settings to intercept invoices and reply‑to addresses.
They may also create OAuth app tokens or API keys that persist even if passwords are changed.
Impact:
BEC and fraud follow as in Flow B, but with more durable persistence and deeper access to business logic.
Traditional “compromised account” detections often trigger late, after money has moved or data has been exfiltrated.
3.2 Time, Scale, and Automation
Time‑to‑impact:
- Wire redirection and payroll diversion can complete within hours once the pretext is accepted; many attacks involve same‑day or next‑day execution after a successful conversation.
- Payment recovery windows are narrow, often requiring action within 24–72 hours; any detection lag beyond that converts to unrecoverable loss.
Human vs machine asymmetry:
- Attackers leverage PhaaS, phishing kits, and automated infrastructure to run large campaigns, while defenders rely on human review of inboxes, training, and manual verification processes.
- Fraudsters increasingly automate reconnaissance and sending, reserving human effort for high‑value conversations and negotiation, maximizing ROI.
Why detection lag is now fatal (Law of Physics):
- If the architecture allows unverified high‑value actions to be executed solely on the basis of email‑initiated requests, then any detection after submission is incident response, not prevention.
- Zero dwell time for fraud would mean the action itself cannot complete without additional runtime verification controls, even when email and identity “look” legitimate.
4. Debunked & Retired Metrics
4.1 Metrics That Must Be Retired
Debunked Stats Table (Old → Why False → Replacement/Invalidated)
| Old Metric / Stat | Origin / Era | Why It’s Misleading or Broken | Replacement or Status |
|---|---|---|---|
| “BEC has caused $X billion in losses since 2013/2016/2019/2022…” | FBI IC3 PSA 2022 & older | Reused endlessly without updating; hides year‑over‑year change and conflates long‑term cumulative loss with current‑year risk. | Use annual adjusted losses and median/mean per incident (e.g., ~2.7–2.8B in 2024 + median loss). |
| “Phishing is the #1 cybercrime” (by volume) | IC3 reports, repeated 2018‑24 | True for complaint counts, but irrelevant for impact; BEC ranks lower in volume but near‑top in total losses. | Track loss‑weighted ranking (loss per incident, total losses) rather than complaint counts. |
| “60% (or 90%) of breaches are caused by human error/social engineering” | Verizon DBIR & derivatives | Collapses identity exposure, architectural flaws, and process failures into “humans are the problem”; discourages engineering fixes. | Measure proportion of incidents where architectural constraints would have prevented impact even with same human behavior. |
| “Awareness training reduces phishing risk by X%” | Training vendor studies | Often based on simulation click rates, not actual BEC outcomes; ignores dual‑channel attacks and vendor compromise where training is irrelevant. | Replace with “change in BEC incident rate / losses per 1,000 employees after architectural changes,” or declare obsolete when unlinked to outcomes. |
| “Number of phishing emails blocked per month” as a success KPI | Email security dashboards | Comfort telemetry; scales with attacker volume and does not correlate reliably with loss. | Measure number and value of fraudulent payment or admin attempts blocked at workflow/runtime layer. |
| “User‑reported phishing volume” | Awareness programs | Incentivizes noise; high reporting can coexist with high BEC loss; underestimates vendor compromise and dual‑channel tactics. | Measure rate of correctly escalated high‑value fraud attempts and resulting prevented loss. |
| “MFA coverage percentage” as a standalone health metric | General security programs | MFA is frequently bypassed via infostealers, cookies, and weak flows; coverage says nothing about resilience. | Measure rate of successful account takeovers and BEC events involving MFA‑protected accounts; focus on break rate, not coverage. |
Metrics declared obsolete: any that focus on email activity volumes without connecting to fraudulent action impact (payments, admin changes, data exposure).
4.2 Metrics That Actually Predict Damage
Metrics aligned with real‑world BEC/phishing damage in 2025:
- Average and median dollar value of attempted and successful BEC transactions per quarter, by scenario (vendor fraud, executive BEC, payroll diversion).
- Number and value of high‑value actions (payment changes, wires, payroll edits, vendor onboarding, admin role grants) blocked due to runtime verification or step‑up controls.
- Presence, volume, and age of your organizational identities, credentials, cookies, and device fingerprints in recaptured criminal datasets.
- Rate of account takeover and vendor email compromise incidents originating from stolen data (vs pure phishing), and time‑to‑detect anomalous behavior inside those accounts.
- Percentage of critical workflows that can be completed solely based on email‑initiated requests vs those requiring independent channel and data verification.
- Time from initiation of fraudulent action to irreversible loss (funds clearing, irreversible payouts), compared with time to detect and halt.
5. What Defenders Missed (Blind Spot Analysis)
5.1 Vendor Visibility Gaps
Tier‑1 vendor and mainstream report blind spots in 2025:
- Cross‑channel fraud flows: Many email security vendors see only email; they miss SMS, WhatsApp, and voice pivots that now drive a large share of BEC outcomes.
- Downstream payment and ERP systems: Email products rarely have visibility into payment execution, vendor master changes, or payroll edits, so they cannot measure real loss reduction.
- Identity exposure depth: Traditional monitoring underestimates the volume and richness of identity data; SpyCloud’s 12x more records than legacy checks illustrates the gap.
- Vendor email compromise impact: Many stats cluster all phishing/BEC together, obscuring VEC as a distinct, highly effective pattern.
- Post‑login behavior: SaaS and IdP misuse (rules, OAuth abuse, forwarding, API keys) often sits outside classic phishing/BEC reporting lines.
Why vendors cannot see this:
- Tooling boundaries: Email security, IdP, and payment systems are sold and instrumented as separate products, violating the Law of Entropy by increasing complexity rather than building a unified shield.
- Incentives: Vendors are rewarded for detections and blocked emails, not for reduction in dollar loss or prevented fraud at workflow level.
- Data access: Payment providers, banks, and ERP vendors hold key outcome data but rarely integrate deeply with email/identity telemetry for joint metrics.
5.2 Defender Pain Signals
Where teams struggled silently in 2025:
- Reconciling “good” phishing metrics with persistent or rising BEC losses; leadership often questioned why improvements were not translating to reduced fraud.
- Investigating vendor email compromise where all emails appeared technically legitimate and passed DMARC, SPF, and DKIM.
- Handling dual‑channel pretexting (email → SMS/WhatsApp), where no corporate telemetry exists, and finance staff rely purely on judgment.
- Detecting identity abuse via stolen cookies and device fingerprints that bypass traditional login anomaly checks.
- Coordinating responses between security, finance, and legal fast enough to recall or freeze funds after a fraudulent payment.
What failed without alerts:
- Silent mail‑rule modifications, forwarding rules, and OAuth app creation in compromised accounts.
- Incremental, “low‑noise” invoice changes (e.g., bank details on existing supplier) that did not trigger anomaly alerts or threshold‑based monitoring.
- Socially engineered overrides of weak “out‑of‑band” verification processes where phone calls or messages were themselves compromised.
6. Updated Framework / Control Model
6.1 Does the Old Model Still Work?
Old model: “Detect phishing emails, train users, enforce MFA, and respond quickly.”
Verdict under the 4 Laws:
- Law of Physics: Failed. It reacts to malicious content but allows harmful actions (wires, payroll changes, admin grants) to remain executable purely based on trust in email and identity.
- Law of Gravity: Failed. Identity is still treated as ground truth; once an account is authenticated, it can unilaterally move money or change controls.
- Law of Entropy: Failed. Multiple tools (email, training, SIEM, fraud analytics) do not form a unified shield; attackers exploit seams.
- Law of Velocity: Failed. Governance moves at policy and training speed, not at runtime enforcement speed; approvals live in PDFs and manuals, not in code.
So the existing BEC/phishing framework must be replaced, not just tuned.
6.2 Deterministic Control Model for BEC & Phishing
Objective: Prevent fraudulent financial and control‑plane actions, regardless of email content or apparent identity legitimacy, with near‑zero tolerance for execution of unverified high‑value actions.
What must be prevented (non‑exhaustive but deterministic set):
- Submission and execution of outbound wires, ACH transfers, and payment detail changes to new or modified beneficiary accounts without independent verification.
- Vendor master record changes (bank account, address) and payroll direct‑deposit changes initiated solely via email or single‑channel requests.
- Creation or elevation of high‑risk SaaS/IdP admin roles and long‑lived OAuth tokens without multi‑party, multi‑channel approval.
- Persistence mechanisms in mail and SaaS (forwarding rules, hidden folders, auto‑delete rules) that materially increase fraud or data‑theft risk without detection and approval.
At what execution layer (where controls must live):
- Workflow/Application layer (ERP/AP/Payroll/CRM/SaaS admin consoles): Enforce mandatory, machine‑enforced verification steps (callback, known‑good data checks, dual approval) for defined high‑risk actions.
- Identity/Session layer: Treat high‑risk actions as separate trust decisions from login; require step‑up authentication and behavioral confirmation even for authenticated users, especially when identity exposure signals are present.
- Communication layer (email, SMS, messaging): Provide context and warnings, but never be the sole gate for high‑risk decisions; email may initiate a request, but cannot complete it.
- Governance layer: Policies codified as guardrails in business systems (e.g., “no first‑time vendor payment over $X without callback to a phone number from master data, not from email footer”).
Failure tolerance (target):
- For large‑value actions (e.g., >$10K wires, admin grants, mass exports), tolerated failure should approach zero: the architecture should make unverified execution physically impossible, not just unlikely.
- For lower‑value actions, controlled residual risk may be acceptable, but must be explicitly engineered (e.g., thresholds, rate limiting, anomaly‑based holds).
Implementation examples (non‑vendor, architectural):
- Hard gating in ERP/AP: No new bank account for an existing vendor can be used until an out‑of‑band verification workflow is completed and logged in the system of record.
- Dynamic risk scoring at action time: Use identity‑exposure feeds (e.g., known compromised credentials or cookies) and behavior baselines to trigger step‑up before high‑risk actions.
- Unified digital shield: Connect email security, IdP logs, SaaS audit trails, and payment systems into an integrated control plane that opens or closes “gates” based on combined risk, not siloed signals.
7. Forward Outlook (Next 12 Months)
Signals‑based, not hype:
- Expect continued growth in high‑value, low‑volume BEC fraud, especially vendor email compromise and dual‑channel pretexting, because the economics are favorable and defenses remain weak.
- Identity‑exposure datasets will keep expanding; without architectural changes, attackers will rely even less on phishing to obtain credentials and more on reusing existing compromised data.
- Banks and payment networks will introduce stricter rules and recovery mechanisms (e.g., Nacha rule changes), slightly improving post‑fraud recovery but not eliminating initial losses.
- AI will further reduce attacker effort per pretext but will not fundamentally change mechanics; the decisive factor remains whether your architecture allows single‑channel, identity‑only approval for high‑risk actions.
What to watch as early warning:
- Rising average and median attempted BEC transaction sizes in your environment.
- Growth in vendor email compromise cases vs simple spoofed‑domain phishing.
- Evidence that attackers are using dual‑channel tactics against your staff (reports of SMS/WhatsApp pretexts).
- Increased detection of identity‑related incidents tied to reused or long‑exposed credentials.
8. Reference Annex (Evidence & Method Notes)
Sources used (highest to lowest weight per your hierarchy):
- Exploit mechanics and execution flows: Derived from common BEC fraud patterns documented in incident write‑ups and patterns visible in vendor data.
- Architecture failures & control bypasses: Inferred from discrepancy between strong email metrics and persistent BEC losses.
- Open‑source telemetry and statistics: FBI IC3, APWG, SpyCloud, Hoxhunt, LevelBlue, DeepStrike social engineering stats.
- Tier‑2 / emerging vendor reports: Identity exposure and BEC insights from SpyCloud and others for below‑the‑surface signals.
- Tier‑1 vendor and broad surveys: Used for context, particularly around human‑element narratives and phishing volume.
Data gaps and inferences:
- 2025 full‑year IC3 BEC statistics are not yet published; 2024 figures and 2025 trend data from APWG/Fortra, LevelBlue, and others were used to infer trajectory.
- Precise median loss per BEC incident varies by dataset; ranges and directionality (increasing size and persistence of impact) are used instead of single canonical numbers.
- Specific control failure rates (e.g., percentage of BEC incidents involving MFA‑protected accounts) are under‑reported; conclusions rely on identity‑exposure data and known bypass patterns.
What Defenders Should Stop Measuring
- Number of phishing emails blocked or reported, as standalone success metrics.
- Training completion rates and simulation click‑through rates as proxies for reduced BEC loss.
- Raw MFA coverage as proof of BEC resilience.
What Actually Predicts Damage
- The proportion of critical workflows that can be executed based only on email and identity trust.
- The volume and freshness of your exposed identities and sessions in criminal ecosystems.
- The rate and value of high‑risk actions prevented or forced through multi‑party verification at runtime.
Here are 15 FAQs based on the 2025 Business Email Compromise & Phishing Reality Report:
1. Why did BEC remain the highest-impact fraud channel in 2025 despite improved email security
While detection at the “email edge” improved, BEC persisted because it is an identity and business-process abuse problem, not a malware problem. Attackers shifted from simple spoofing to using compromised legitimate accounts and “dual-channel” lures (email to SMS) that bypass traditional email filters and corporate instrumentation.
2. How has Generative AI (Gen-AI) actually changed phishing and BEC?
According to the report, Gen-AI did not create new types of attacks. Instead, it scaled the quality and volume of pretexts, making long-form, multi-persona impersonations more convincing. The core mechanics—pretexting, account abuse, and wire fraud—remained the same as in previous years.
3. Why are "phishing click rates" and "awareness training completion" considered debunked metrics?
The report argues these metrics are “comfort telemetry” that do not correlate with actual financial loss. High training scores often coexist with high BEC losses because modern attacks (like Vendor Email Compromise) use legitimate threads and trusted accounts where a user’s “awareness” of a suspicious link is irrelevant.
4. What is "Dual-Channel Social Engineering" and why is it effective?
This is a tactic where an attacker initiates contact via a corporate channel (email) and quickly moves the victim to an unmonitored personal channel (SMS, WhatsApp, or voice). This moves the conversation away from corporate security controls and places the employee in a high-pressure, “personal” interaction where they are more likely to bypass standard procedures.
5. Is MFA (Multi-Factor Authentication) still a reliable defense against BEC?
MFA remains a baseline requirement but is no longer a “silver bullet.” In 2025, attackers frequently bypassed MFA using stolen session cookies, device fingerprints, and infostealer data. The report suggests measuring the “break rate” of MFA-protected accounts rather than just coverage percentages.
6. What is Vendor Email Compromise (VEC), and how does it differ from standard BEC?
In VEC, an attacker compromises a supplier’s actual mailbox and monitors existing financial threads. They then insert themselves into a real conversation with a modified invoice. Because the email comes from a “known good” account and references real business, it bypasses almost all technical and human checks.
7. Why are "identity dumps" and "infostealers" more dangerous than phishing links now?
Attackers no longer need to “phish” for credentials because there is a massive, growing reservoir of stolen identity data circulating in criminal ecosystems. The report notes that there are often 12x more exposed records than legacy identity checks can see, allowing attackers to log in as “valid” users without an initial phishing event.
8. What is the "Law of Physics" failure mentioned in the report?
This refers to the failure of detection-first security. If your architecture allows a high-value action (like a wire transfer or an admin change) to be executed solely because an email “looks” legitimate, the system is physically designed for failure. Detection after the fact is just incident response, not prevention.
9. What specific metrics should executives use to predict damage instead of "emails blocked"?
Executives should track:
- The median dollar value of attempted vs. successful BEC transactions.
- The number of high-value actions (wires, payroll edits) blocked by runtime verification.
- The volume and age of organizational identities found in recaptured criminal datasets.
- The percentage of critical workflows that can be completed via a single channel (email only).
10. How should organizations change their "Identity" strategy?
Organizations must stop treating an authenticated login as “ground truth.” High-risk actions (moving money, changing vendor data, granting admin roles) should be treated as separate trust decisions requiring step-up authentication and independent, multi-party verification.
11. What "High-Value Actions" should be architecturally constrained?
The report identifies several “must-protect” workflows:
- Outbound wires and ACH transfers.
- Vendor master record changes (bank accounts/addresses).
- Payroll direct-deposit edits.
- Creation or elevation of SaaS/IdP admin roles.
12. Why did "human error" statistics (like those in the DBIR) fail to help defenders in 2025?
Blaming “human error” oversimplifies the problem. The report argues that the real issue is systemic identity exposure and a lack of architectural guardrails. If a single human mistake can cause a multi-million dollar loss, the failure is in the system’s design, not the individual’s judgment.
13. What is a "Deterministic Control Model" for BEC?
It is a shift from “detecting bad emails” to “making harmful actions impossible.” It involves enforcing machine-governed verification (like a mandatory out-of-band callback) for any high-risk transaction, regardless of how legitimate the initiating email or identity appears.
14. What are the "blind spots" of Tier-1 security vendors?
Most vendors are siloed. Email security tools don’t see ERP/payment systems; IdPs don’t see SMS pivots. Because vendors are incentivized by “blocked email” counts rather than “reduced dollar loss,” they fail to provide visibility into the actual execution of fraud downstream.
15. What is the most critical priority for 2026?
The focus must shift from the Inbox to the Workflow. Security leaders must fund “runtime constraints” on money movement and administrative changes, ensuring that even if an identity is compromised, the attacker cannot execute the final, damaging action.
