Today, we published the 2026 Attack Landscape Report, a comprehensive analysis of nearly 800,000 email attacks observed across our customer base during the second half of 2025. The report examines how threat actors tailor phishing, business email compromise (BEC), and vendor email compromise (VEC) tactics to match the workflows, org structures, and operational realities of the organizations they target.

This is the first in a series of posts exploring the report's findings, starting with an inside look at BEC: which identities attackers choose to impersonate, what makes one tactic more credible than another in a given environment, and where compromised accounts change the equation entirely.

Business email compromise represents roughly 11% of attacks by volume—a fraction of phishing's 58%. But the comparison understates the threat. While BEC attacks are lower in volume, they are higher in investment per attempt, with each one built around a specific identity, a tailored pretext, and enough contextual detail to prompt action without triggering verification. The damage per success is also far greater, with the average BEC incident costing a business $123,005, according to the FBI IC3.

Here, we focus on the 39% of BEC that exploits trust within the target organization itself—what we call internal impersonation BEC. The remaining 61%, involving vendor and partner impersonation, is covered in a dedicated post on VEC later in this series.

How Attackers Exploit Internal Trust

Within internal impersonation BEC, four distinct tactics compete for share: employee impersonation, VIP impersonation, generic internal impersonation, and lateral attacks from compromised accounts.

Employee impersonation is the most common tactic at 45.3%, covering attacks that impersonate a named, non-executive colleague. Generic internal impersonation follows at 36.7%. These are department-level lures rather than individual ones—e.g., the fake IT helpdesk notice, the HR benefits update, the payroll system alert. VIP and executive impersonation accounts for 8.4%, despite its outsized reputation as the defining BEC tactic. Lateral attacks¹—originating from genuinely compromised internal accounts rather than impersonating one—account for 9.6%.

Each represents a distinct attacker approach to the same underlying problem: how to make a request credible enough that the recipient acts on it without verifying. Organization size, industry, and recipient role each reshape the mix, since each variable changes which identities are available to exploit and which requests are plausible enough to succeed.

Organization Size Reshapes the BEC Mix

The internal impersonation BEC mix at a 500-person company looks nothing like the mix at a 50,000-person enterprise. As organization size increases, VIP impersonation gives way to employee impersonation in a near-perfect inverse relationship. Alongside that shift, lateral attacks—nearly absent at small organizations—emerge as a significant share of BEC at the enterprise end.

Threat actors aren't applying a single playbook uniformly. They're adapting to the institutional realities of their target: how authority flows, how many identities are available to exploit, whether a department-level lure or a named individual is more credible, and whether compromising an internal account is worth the investment. Workforce size doesn't just scale attack volume; it fundamentally changes the types of attacks a business faces.

VIP impersonation leverages the identity of a C-suite executive or senior leader, whereas employee impersonation uses a non-executive colleague. The two tactics differ in their source of credibility, but both rely on impersonating a specific, named individual within the organization and betting that the recipient will act on a message from that person.

We group them under “named identity impersonation” because examining them together reveals how cleanly the two substitute for each other across organizational contexts. But we also examine them separately, since each concentrates in distinct industries and roles.

The VIP-to-Employee Substitution

VIP impersonation and employee impersonation move in near-perfect opposition across the organization size spectrum. At small organizations, VIP impersonation accounts for 43% of named identity impersonation. At large enterprises, it drops to 7%. Employee impersonation picks up almost every point VIP drops, and then some, since the combined bucket itself also grows as a share of internal impersonation BEC at the large end.

The shift reflects how organizational structure shapes which identities are credible to impersonate. In small organizations, the CEO is a known, accessible figure who might plausibly email the finance or operations team directly. Controls tend to be informal, and payment approval often runs through a single person. When account compromise is impractical—as it tends to be in smaller organizations with simpler infrastructure—impersonating a known executive becomes the next best lever.

In large enterprises, the opposite is true. CEOs don't email the finance department directly. Multi-person approval workflows are standard, out-of-band verification is expected, and security training has made C-suite impersonation a well-known red flag. But the underlying attack still works; it just requires a different cast. A message from a peer or mid-level colleague is far less likely to trigger skepticism than one purportedly from the C-suite.

Both tactics exploit the same mechanism: the credibility of a known, named individual within the organization. The variable is simply which individual is most convincing to impersonate, given how the target organization operates.

Executives as Subject and Target

More than 41% of internal impersonation BEC reaching executive leadership involves VIP impersonation—by far the highest of any job category, and 5x the sample average of 8.4%. The dynamic is worth naming explicitly: executives are both the most common subjects of VIP impersonation (attackers impersonate them to reach other departments) and the most common recipients of it (attackers impersonate other executives to reach them).

But VIP impersonation works differently depending on where it lands. When a CEO impersonation arrives in a finance recipient's inbox, it works because of authority—the executive's position is the lever. When it arrives in another executive's inbox, the mechanism is different. Executives routinely work with other executives; a message from a peer or superior is simply normal communication. At this level, VIP impersonation functions less as an authority exploit and more as a peer familiarity exploit—structurally closer to employee impersonation than the name suggests.

The impersonation is still of a named, high-status individual, but the credibility comes from the relationship, not the rank. This peer-impersonation pattern within the executive layer is a distinct attack surface.

Named identity impersonation needs a convincing person; generic internal impersonation just needs a convincing department. These are the fake IT helpdesk notices and HR benefits updates that borrow authority from a function rather than an individual. The tactic accounts for 37% of internal impersonation BEC and succeeds because employees are conditioned to act on communications from internal systems without scrutinizing who actually sent them.

Lures That Match the Workflow

Of internal impersonation BEC reaching IT and technology recipients, 66.6% involves generic internal impersonation—well above the 36.7% sample average and the second-highest among named job categories after finance and accounting (72.8%).

The elevated rate is logical when you consider what generic internal impersonation actually looks like in practice: fake IT helpdesk notices, system alerts, credential reset requests, MFA re-enrollment prompts, and access provisioning emails. These are communications that IT staff receive legitimately and routinely in the course of their role. A threat actor impersonating "IT Security" and asking a recipient to verify their credentials is a far more contextually appropriate pretext when directed at someone in IT than at someone in Sales—the lure fits the workflow. The job function that is most familiar with fake helpdesk attacks is also the one for which fake helpdesk attacks are the most believable pretexts.

Finance and accounting's even higher rate reflects the same logic applied to a different set of lures. The dominant flavor of generic internal impersonation is almost certainly different there—fake HR payroll notices, finance system alerts, procurement approvals—rather than IT helpdesk impersonation. The category covers a range of department-level lures, and the variety that dominates in a given segment tends to mirror the recipient's actual workflow.

Lateral BEC accounts for 13% of all business email compromise, but unlike every other tactic in this article, the attacker isn't pretending to be someone inside the organization. They're operating from a compromised account belonging to a real employee. The message comes from a legitimate internal address, passes authentication checks, and carries the implicit trust that employees extend to emails from known coworkers. That makes lateral BEC harder to detect by design. And as organization size increases, both the opportunity and the incentive to pursue it grow dramatically.

Why Lateral BEC Scales With Size

Because "lateral" is an attack attribute rather than a standalone impersonation category, it can co-occur with other impersonation types. To capture the full scope, the rates in this section reflect lateral BEC as a share of all BEC rather than just one subcategory.

Measured this way, lateral BEC scales dramatically with organization size. At small organizations, it accounts for just 0.24% of BEC—nearly nonexistent. The rate climbs to 1.1% at mid-market organizations and 7.1% at large mid-market. Within enterprise organizations, lateral BEC jumps to 17.8%, and at large enterprises, 23.2%—nearly a quarter of all BEC, against a sample average of 13%.

Larger organizations maintain tens of thousands of email accounts, and with that scale comes a more complex identity surface—shared credentials, third-party integrations, interconnected systems—all of which create more entry points for an attacker to gain access to a legitimate account in the first place.

Once inside, the returns compound. A single compromised account in a 50,000-person organization has access to a vast pool of trusted recipients spanning interconnected departments, and internal emails move freely in ways that external messages cannot. High email volume provides additional cover: thousands of internal messages flow through inboxes daily, making a lateral attack far harder to spot than it would be in a 100-person company, where any unexpected internal message would stand out.

For threat actors, this is a straightforward ROI calculation. Compromising an internal account requires meaningful upfront investment—reconnaissance, credential theft, maintaining persistent access—but the payoff in a large organization justifies the effort. In a small organization, that same investment yields far less. Employees tend to know their colleagues personally, verification is as simple as walking over to someone's desk, and the target surface is a fraction of the size

The findings in the report point to a single operational reality: business email compromise attacks are shaped by the organizations they target. Attackers reconfigure their tactics around organizational structure, swapping impersonation targets as the size and complexity of the workforce change which identities are credible to exploit.

The data also challenges some widely held assumptions about where risk concentrates. VIP impersonation—the tactic most associated with BEC in the public imagination—accounts for a small fraction of internal impersonation attacks at large organizations, where employee impersonation and lateral attacks are far more prevalent. And lateral BEC, often treated as a universal BEC risk, is nearly nonexistent at small organizations—accounting for just 0.24% of BEC—and concentrates overwhelmingly at the enterprise end, where it reaches nearly a quarter of all BEC.

Defending against BEC starts with recognizing that the same characteristics that define how your organization operates also dictate your risk profile. The next post in this series examines how the same adaptive logic plays out across phishing.

The threats your organization faces are shaped by how it operates. The 2026 Attack Landscape Report shows you exactly how.