Keeping email secure from human behaviour

Mike Britton at Abnormal AI argues that the real problem in email security isn’t human error; it’s silence

 

It’s easy to blame employees for email security failures. After all, human error is the single most common factor in breaches today. 

 

Yet, new data reveals something more worrying than human error alone. Employees are now seeing and engaging with advanced email attacks at alarming rates, and almost never telling anyone about it.

 

Across 1,400 organisations, only 1.46% of advanced text-based attacks were reported after employees read them. In Europe, the situation is worse, with the reporting rate for highly targeted vendor email compromise (VEC) attacks only 0.27%. At the same time, these attacks are driving extraordinarily high repeat engagement rates.

 

This data raises an important question. What if we’re actually looking at the problem wrong, and pointing fingers too easily? It isn’t the fact that employees make mistakes that’s putting organisations at risk, it’s the fact that they stay silent when they do. Leadership can no longer look to security models that rely on employees behaving otherwise. 

 

 

Relying on employee reporting doesn’t work

For years, many organisations have clung to the outdated idea that training employees to spot threats, combined with an internal culture of reporting, will give the security team the visibility they need to act. The theory sounds reasonable. In practice, it fails. Every single day.

 

Large enterprises seem to struggle most with this, and their employees engage with sophisticated attacks like VEC on a regular basis. In companies with more than 50,000 employees, over 72% of VEC messages that were read prompted further action. That means staff either replied, forwarded, or escalated these fraudulent requests. On the other hand, smaller organisations with between 500 –1,000 employees only responded to 24% of this attack type.

 

Worryingly, these high rates of response are not matched with high rates of reporting. To put this in perspective, the average monthly text-based attacks received by a mid-market enterprise with 1,500-3,000 employees between March 2024 and March 2025 was approximately 560 per 1,000 mailboxes. That means, every month, there are an estimated 840-1,680 attacks not being reported to the security team. 

 

This is where silence becomes an attacker’s greatest ally. When employees don’t report what they see, attackers see value in repeating the same tactics. They refine their techniques, adjust their targets, and strike again. 

 

That’s why we see such worrying rates of repeat engagement. In our data, more than 7% of VEC responses came from employees who had already engaged with a previous attack. That is not just an awareness gap, but also the result of a system that doesn’t learn fast enough to stop evolving threats.

 

 

Behavioural reasons employees stay silent

Now, before anyone rushes to blame employees, it’s worth understanding why they stay silent. Psychology gives us the answers here, and they’re perfectly human.

 

Often, employees assume someone else will report a suspicious message. Sometimes they believe that if they didn’t click a malicious link, they’ve done no harm by simply deleting the email. And very often, they’re simply unsure, and could be worried that flagging a legitimate message might embarrass them or waste a busy security team’s time.

 

These are not isolated failures of judgement. They are consistent and predictable behaviours. Unfortunately, no amount of training will ever fully eliminate them. This is why continuing to depend on employees as primary sensors for threat detection is fundamentally flawed.

 

 

Silence fuels repeat compromise and fraud

The stakes around email attacks couldn’t be higher. Vast amounts of money are lost due to VEC attacks, with attackers stealing more than $300 million between 2024 and 2025. 

 

Many of these attacks involved sophisticated techniques. For example attackers can create lookalike domains, which are just one letter off from a trusted vendor, and insert this into an existing email thread about invoices. A rushed employee would most likely not question this, and may even add others to the ongoing conversation.

 

No reasonable person would expect the average employee to catch this kind of deception. And yet, our security models too often hinge on the hope that they will.

 

 

Moving beyond user-dependent detection

It’s time to move beyond this broken model. The only way forward is to take the burden of detection off employees entirely. Modern behavioural analysis can now detect subtle anomalies in sender behaviour, message content, and conversation context. These systems can identify malicious emails and remove them before employees even see them, turning the attackers’ core advantage—human trust—against them.

 

This shift isn’t about replacing employees or abandoning training. It’s about recognising that humans are not, and never will be, the last line of defence. As long as they are, attackers will keep winning.

 

 

Fixing the model, not the humans

We often talk about building a culture of security. That’s important. But culture alone won’t stop an attacker from hijacking a trusted thread or exploiting a moment of inattention. What will make a difference is building systems that reduce employees’ exposure to threats in the first place.

 

At the heart of this issue is a simple leadership choice. We can keep blaming human error and expecting employees to behave perfectly. Or we can accept the reality of how people operate and design our defences accordingly. 

 

In the end, it’s not the mistakes employees make that will cost us the most; it’s the ones they never tell us about.

 

---

 

Mike Britton is CIO at Abnormal AI

 

Main image courtesy of iStockPhoto.com and Thapana Onphalai