COMMENTARY: Business email compromise (BEC) has long been described as a leadership impersonation problem. The “CEO” sends a wire transfer request, a finance employee acts on it, and the damage is done. It’s a familiar mental model and increasingly insufficient.Data from nearly 800,000 attacks analyzed in our 2026 Attack Landscape Report reveals a more complex picture: BECs aren’t a single playbook applied uniformly. It’s a set of tactics that attackers calibrate against the specific operational characteristics of their target, such as organization size, structure, and how authority flows.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The attack that succeeds at a 300-person company looks materially different from the one targeting a 40,000-person enterprise—all because attackers are getting smarter about what actually works.When trust becomes the attack vectorBEC accounts for roughly 11% of email attacks by volume, but that figure obscures the real exposure. The average BEC incident costs $123,005 according to the FBI IC3, and each attack represents a deliberate investment: research, identity selection, and pretext construction. These aren’t spray-and-pray campaigns. All BEC attempts are purpose-built to pass the credibility threshold of a specific recipient at a specific organization.Trust has become the core attack surface — specifically, the implicit trust employees extend to communications that appear to come from someone they know, a function they frequently interact with, or an authority to whom they report.Internal impersonation BEC represents 39% of all BEC and exploits that trust directly. The attacker isn’t masquerading as an external partner, they’re pretending to be someone inside.Size determines which identity gets weaponizedHere’s where the operational calibration gets specific. Within internal impersonation BECs, four tactics compete: employee impersonation (45.3%); generic internal impersonation—fake IT helpdesk alerts, HR notices, payroll updates (36.7%); VIP or executive impersonation (8.4%); and lateral attacks from compromised accounts (9.6%).Security awareness training has historically centered on C-suite impersonation. The CEO fraud narrative has been well-established and the financial stakes are real, but the data tells a different story about where this tactic actually concentrates.At small organizations, VIP impersonation accounts for 43% of named identity impersonation BEC. At large enterprises, it drops to 7%.Employee impersonation picks up almost every point VIP drops. The inversion is clean and logical. At 300-person companies, CEOs are known, accessible figures—someone who might plausibly email finance directly. Approval chains are short and controls are informal, so it’s credible to impersonate the CEO because it fits how the company operates.At a 30,000-person enterprise, the same tactic doesn’t hold. Multi-person approval workflows, out-of-band verification processes, and years of security awareness training have made C-suite impersonation a recognizable red flag. A message from a peer or mid-level colleague, on the other hand, doesn’t generate as much suspicion. Attackers know this, so they substitute accordingly.For security leaders, this means examining whether training and detection are calibrated to the attacks the organization actually faces, not the archetype that gets the most coverage.Focus on lateral attacksOf all the findings in the report, the lateral BEC data deserves the sharpest practitioner attention.Lateral attacks originate from genuinely compromised internal accounts rather than look-alike domains and they scale dramatically with organization size. At small organizations, lateral BEC makes up just 0.24% of all BEC. At large enterprises, it reaches 23.2%. Nearly one in four BEC attacks at the largest organizations doesn’t involve impersonation at all. The attacker operates from a real employee’s account, targeting real colleagues.The reason follows from organizational complexity. Large organizations maintain tens of thousands of email accounts, complex identity infrastructure, third-party integrations, and shared credentials—all of which create more entry points for an attacker to gain legitimate access.Once inside, a single compromised account offers access to a trusted internal surface that external messages can’t replicate. In an organization processing thousands of internal messages daily, a lateral attack is extraordinarily difficult to distinguish from normal communication.This attack bypasses the perimeter entirely. Defending against it means moving beyond external threat detection and monitoring behavioral anomalies internally—for example, unusual message patterns, atypical recipients, or requests that fall outside a sender’s established workflow.Know the attack profile before attackers doWhat we found in our research was that BEC attacks are shaped by the organizations they target. Attackers observe how authority flows in our organizations, which identities are credible to impersonate, and which requests will pass without triggering verification—and then they select accordingly.Security leaders who understand their own attack profile have a meaningful advantage. Large enterprises should treat lateral BEC as a primary risk category, not a secondary one, and ensure their detection capabilities look inward as well as outward.Smaller organizations should take CEO fraud seriously precisely because their informal approval structures make it credible. In other words, awareness training needs to match the actual threat.Business email will remain the most reliable path to sabotaging humans. The organizations that stay ahead of it are the ones that understand not just how attackers operate generally, but how they operate against their specific organizations.Mick Leach, Field CISO, Abnormal AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds