{"id":3406,"date":"2025-06-03T06:30:00","date_gmt":"2025-06-03T06:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3406"},"modified":"2025-06-03T06:30:00","modified_gmt":"2025-06-03T06:30:00","slug":"ai-gives-superpowers-to-bec-attackers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3406","title":{"rendered":"AI gives superpowers to BEC attackers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As much as it has been used to defend and make some taxing jobs easier, AI is also being extensively employed by attackers, helping them collect specific data that is used on business email compromise (BEC) attempts. AI is already getting better in deep research and with that making impersonation scams no longer as easy to identify and stop.<\/p>\n

What is business email compromise BEC<\/h2>\n

Business email compromise<\/a> refers to targeted, email-based cyberattacks that seek to trick victims into exposing company information or access to systems, handing over money or to perform other acts that negatively impact the business. This is done by impersonating a company executive, vendor, or other trusted partners.<\/p>\n

The attackers carry out these impersonations by setting up fake but legitimate-seeming email addresses, social media profiles, or accounts on collaboration apps such as Slack, Teams, or Zoom. They can also spoof a real email address if proper security precautions are not set up or take over an actual email account via compromised credentials, malware, or other methods.<\/p>\n

\u201cWe\u2019re seeing more concern from CISOs about this,\u201d says Gartner analyst Max Taggett. \u201cA lot of organizations are seeing it firsthand. They see how much is getting through their email filters, and the tools that they currently use aren\u2019t cutting it.\u201d<\/p>\n

The role of AI in business email compromise<\/h2>\n

Unlike traditional spam or phishing emails, which are designed to be as generic as possible, BEC fraud is highly targeted. Attackers must do a great deal of research about their targets to craft their messages and time their attacks for when their victim would be most susceptible, such as right after a big deal closes and they\u2019re expecting the payment request to arrive.<\/p>\n

Attackers use social media platforms, corporate websites, industry publications, and even the websites of a company\u2019s clients or vendors to get insights on personnel, corporate dynamics, and major events.<\/p>\n

\u201cWhat we see with BEC is that it\u2019s a long game,\u201d says Forrester analyst Jess Burn.<\/p>\n

This kind of research takes time and requires decent English language skills since the targets are commonly in English-speaking countries. As AI gets better at deep research, this information-gathering stage gets easier and faster.<\/p>\n

The next step is impersonation, which can involve creating look-alike email accounts, domains, social media accounts, or the exploitation of legitimate internal accounts. Attackers use automation to find and test relevant compromised credentials or create new accounts.<\/p>\n

Finally, the fraudulent request step is the one where the latest generation of AI really shines. A message that asks for a large amount of money will automatically draw increased scrutiny from a recipient.<\/p>\n

The days of being able to easily spot a scam because of poor grammar or broken English are quickly coming to an end. According to KnowBe4\u2019s March phishing report<\/a>, 83% of phishing emails sent in the six months between September 2024 and February 2025 used AI, up 54% compared to last year. KnowBe4 analyzes data from 13.2 million users from 31,000 organizations.<\/p>\n

\u201cThe old advice banks used to give is that if you receive a phishing email, look out for bad grammar, look out for bad language,\u201d says Dan Holmes, director of fraud, identity and market strategy at Feedzai, an AI-native fraud prevention platform. \u201cThe joke was that in the Netherlands, you never got phished because nobody could write Dutch. That\u2019s no longer valid.\u201d<\/p>\n

According to Feedzai\u2019s May AI fraud trends report<\/a>, 60% of financial industry professionals say they\u2019re seeing criminals use generative AI for voice cloning, 59% are seeing it used for phishing attacks and text message, 56% say they\u2019re seeing it used for social engineering and 44% for deep fakes.<\/p>\n

\u201cOne of the big challenges in the voice cloning space is that you can take a ten-second audio of someone\u2019s voice and a bad actor can duplicate that voice,\u201d says Holmes. \u201cCEO scams are a great example \u2014 a call comes in, says, \u2018I need you to do this now, like go buy me a bunch of gift cards because I want to reward a bunch of colleagues.\u2019 Or \u2018I want to send a million dollars to that account now, let\u2019s set that process up.\u2019 Or \u2018I\u2019ve been kidnapped. I\u2019m in trouble, send X dollars to this account\u2019.\u201d<\/p>\n

Video takes that to another level, he says. \u201cThat\u2019s going to enhance the probability of that CEO scam even further. Banks have seen this in the wild and see this as a big risk.\u201d<\/p>\n

And the scams can be more than a single message, but a long chain of communications, sometimes over multiple platforms, designed to develop trust so that the eventual payoff will be bigger.<\/p>\n

In the past, this kind of work was extremely labor-intensive and only worth the effort for the most valuable targets, but that\u2019s no longer the case. According to research<\/a> released in late 2024 by Harvard Kennedy School and the Avant Research Group, fully AI-automated emails got a 54% click-through rate compared to a 12% click-through rate by traditional phishing emails. That was the same success rate as emails generated by human experts (54%). According to the data, this shows attackers can target more individuals at lower cost and increase profitability by up to 50 times.<\/p>\n

A scary business email compromise (BEC) example<\/h2>\n

Last year we learned that an employee of Arup, a UK engineering firm, wired $25 million to fraudsters after attending a Zoom meeting with the CFO and several other colleagues who were known to the employee. Unfortunately, everyone else on the video call was an AI-generated deep fake. \u201cThe realistic visuals and audio, combined with the presence of multiple seemingly familiar senior figures discussing the transaction, ultimately convinced the employee of the request\u2019s legitimacy,\u201d Adaptive Security stated in a report<\/a>.<\/p>\n

That incident was a major wake-up call for everyone, but it\u2019s not yet all that common because of how difficult it is to create real-time deep fake videos and organize the call.<\/p>\n

\u201cAudio is actually a lot more common and easier to pull off,\u201d says Forrester\u2019s Burn. It only takes a few seconds of audio to clone someone\u2019s voice, and attackers can then use it in a phone call, or to leave a voice mail message, she says.<\/p>\n

BEC attacks are often, but not always, characterized by a sense of urgency, a request to go outside of normal payment channels, or changes to where the payment is supposed to go. In some cases, the attackers may request gift cards or cryptocurrency, but this is rare.<\/p>\n

According to the Verizon DBIR<\/a>, it\u2019s because employees are more suspicious when asked to make business payments using crypto as opposed to standard business payment channels like wire transfers. According to Verizon\u2019s report, released in May, the median amount of money sent to BEC attackers was $50,000, and 88% of the payments were made by wire transfer.<\/p>\n

Other known names and related scams<\/h2>\n

BEC is also referred to as an email account compromise or targeted business email compromise. A BEC that involves a senior executive is also known as CEO fraud or executive impersonation. If the attack\u2019s target is also a senior executive, it can be called whaling. BEC that involves a vendor is also known as vendor impersonation, invoice fraud or payment diversion.<\/p>\n

BEC attacks often overlap with other types of attacks. They can start with a standard phishing<\/a> email, or a targeted spear phishing attack. They could also involve credential theft and social engineering<\/a>.<\/p>\n

Spear phishing is a highly targeted phishing attack that could be the first point of compromise to a full-blown BEC incident.<\/p>\n

Other types of BEC include attorney impersonation and payroll diversion. Attackers could also pretend to be IT support personnel.<\/p>\n

Technical mitigation strategies<\/h2>\n

The first line of defense counts on automated tools that stop emails and other malicious communications from reaching the intended recipients.<\/p>\n

Global email service providers and communication platforms are all working to reduce the amount of fraudulent and spammy emails. Not only are they a security threat, but transmitting these emails is an unnecessary expense \u2014 the more of them are stopped at the source, the better for everybody.<\/p>\n

And carriers and providers are getting better at identifying them. Google, for example, claims<\/a> to block nearly 15 billion unwanted emails a day, stopping over 99.9% of spam, phishing, and malware attempts.<\/p>\n

Some of these efforts are bearing fruit. According to Zscaler\u2019s 2025 ThreatLabz phishing report<\/a>, released in April, phishing is down 20% globally, though the attacks are also getting more targeted, aiming directly at HR, finance and payroll teams.<\/p>\n

The attackers are aware that AI is being used to analyze their emails and attachments. Zscaler found a group of attackers who found a clever work-around, adding text to the top of the malicious files instructing the LLM not to analyze the file because it \u201csimply performs prime number generation.\u201d<\/p>\n

On the enterprise level, companies use secure email gateways (SEG) and integrated cloud email security (ICES) solutions, says Gartner\u2019s Taggett. SEG steps in before the email reaches the inbox. The most popular product is Microsoft Defender for Office 365, but enterprises also use tools from Proofpoint and Mimecast, he says. SEG typically uses a combination of filters and machine learning.<\/p>\n

SEG tools also check the authenticity of emails, by comparing the return addresses to company directors and known contacts, and by using protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC).<\/p>\n

Unfortunately, not everyone has support for these protocols, or uses them to their fullest extent. According to Red Sift<\/a>, only 5% of domains have the highest level of DMARC security enabled, automatically blocking spoofed emails. But large public companies are ahead of the curve here, with 51% globally having this level of protection, and it\u2019s even higher in the United States, at 79%. India is a close second with 74.4% followed by Australia with 73.5% and the Netherlands with 73.3%.<\/p>\n

Still, that leaves many companies vulnerable. According to Taggett, full DMARC implementation can be complex for large organizations and can create false positives and disrupt business processes. \u201cThis is probably one of the most important projects that can be undertaken first,\u201d he says. And not all email vendors are fully on board. \u201cCISOs should make that part of their RFPs.\u201d<\/p>\n

ICES steps in after an email has arrived in the inbox and uses next-generation AI to look at the tone and content of the messages and can be a good second layer of defense. Vendors include Abnormal, Egress, Darktrace, Ironscales, and Perception Point, which was recently acquired by Fortinet.<\/p>\n

Of course, protecting emails alone is no longer enough. \u201cThe trend has been to include collaboration apps in your security suite,\u201d says Taggett.<\/p>\n

Having authentication systems in place is a good first step. Is the person on the corporate Slack channel or Zoom call really who they say they are? \u201cYou need to clearly define what the approved channels are and secure them in some form,\u201d says Taggett. And that means not using some platforms at all, he adds. \u201cSignal, where I can\u2019t have corporate visibility, won\u2019t help me maintain visibility of the business process.\u201d<\/p>\n

Ensure processes exist and people are trained<\/h2>\n

Having the right technology in place is a critical part to thwarting BEC attacks, but it\u2019s not enough. \u201cThere needs to be the right balance of tech and process,\u201d says Forrester\u2019s Burn. \u201cYou want technology with a high amount of efficacy to make sure these messages never even get in front of the users,\u201d she says. \u201cAnd if some do get in front of the end user, you hopefully have processes and training in place so that they ask questions and find someone else to run it past.\u201d<\/p>\n

If an organization\u2019s email account is compromised and attackers are reading all the back-and-forth messages about an upcoming payment it is easier for them to jump in at the last minute with their fraudulent payment instructions. If the sender looks completely legitimate, and the contents of the email are exactly as expected, this could be very difficult to catch in an automated way.<\/p>\n

Or it could be a compromised account from inside their own company. For example, if a message comes in from the IT help desk asking an employee to use their credentials to log in to some system the employee should double-check before clicking, Burn says. \u201cAnd you should be rewarded for doing that.\u201d<\/p>\n

And then there\u2019s the fact that emails can pass DMARC authentication but still be malicious. For example, Gmail will always pass DMARC, according to Burn.<\/p>\n

Too often, anti-phishing testing creates a punitive culture. \u201cThen nobody thinks they can do anything right and that creates a feeling of apathy.\u201d And the training shouldn\u2019t be limited to email, Burn adds. \u201cLook at Teams and Slack. People assume that these are closed communication channels, but they\u2019re often not. And, globally, a lot of business is done over applications that are not under security or IT\u2019s authority or protection.\u201d<\/p>\n

AI can help on this end, as well, she says. If an employee gets a suspicious message and they contact IT, some companies are already using generative AI to close the loop. The AI can take a close look at the content of the message and its context. \u201cThat takes a lot of time for security analysts,\u201d Burn says. But the AI can do the screening quickly. \u201cAnd then it can say, \u2018Good job, that looks suspicious, thank you for your efforts.\u2019 Or it can say, \u2018Thank you for being diligent, but we don\u2019t believe it is malicious\u2019.\u201d<\/p>\n

Top ten ICES vendors<\/h2>\n

According to Expert Insights<\/a> the following are the vendors with the best integrated cloud email security solutions.<\/p>\n

1. Abnormal<\/a><\/p>\n

2. Ironscales<\/a><\/p>\n

3. Check Point\u2019s Harmony Email & Collaboration<\/a> (formerly Avanan)<\/p>\n

4. Darktrace Email<\/a><\/p>\n

5. KnowBe4\u2019s Egress Protect<\/a><\/p>\n

6. Inky<\/a><\/p>\n

7. Mimecast Integrated Cloud Email Security<\/a><\/p>\n

8. PhishTitan<\/a><\/p>\n

9. Proofpoint Adaptive Email Solutions<\/a> (formerly Tessian)<\/p>\n

10. Trustifi<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As much as it has been used to defend and make some taxing jobs easier, AI is also being extensively employed by attackers, helping them collect specific data that is used on business email compromise (BEC) attempts. AI is already getting better in deep research and with that making impersonation scams no longer as easy […]<\/p>\n","protected":false},"author":0,"featured_media":3407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3406","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3406"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3406"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3406\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3407"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}