BEC Has Already Cost $55 Billion and AI Is Making It Worse

Cybercriminals no longer need malware to breach your organization. All it takes is a believable email and a moment of human error.

Business Email Compromise (BEC) is a type of cyberattack where threat actors impersonate trusted contacts, like executives, vendors, or legal advisors, to trick employees into sending funds or sensitive information.  

These attacks often rely on spear phishing, social engineering, and AI-generated pretexts to mimic legitimate business communication. The objective is simple: exploit internal trust to trigger actions that are hard to reverse. Common outcomes include:

• Authorizing fraudulent wire transfers to attacker-controlled accounts
• Updating vendor banking details based on fake change requests
• Sending payroll data, deal terms, or tax documents to impersonated stakeholders
• Acting outside normal protocols when urgency limits oversight and recourse

Between 2013 and 2023, BEC scams caused over $55 billion in global losses (FBI IC3, 2023). In 2024 alone, damages surged 42%, with the average incident now costing $4.89 million as attackers deployed generative AI, deepfake video calls, and context-aware pretexts at scale (Verizon DBIR, 2024). No sector is exempt. 70% of organizations report at least one BEC attempt per week (Proofpoint, 2024).

This report breaks down how modern BEC attacks operate, why traditional threat detection tools fall short, and how CISOs can build adaptive defenses that focus on behavior, not just infrastructure.

How Modern Business Email Compromise Attacks Work

Business Email Compromise is not just phishing. It’s a coordinated campaign that mimics trusted workflows, exploits communication norms, and pressures employees into acting before verifying.

These attacks succeed because it looks and feels like legitimate business. Attackers study your internal operations, mirror executive behavior, and manipulate routine actions to bypass detection.

Here’s how a modern BEC attack typically unfolds:

Step 1: Targeted Reconnaissance

Attackers begin by collecting open-source intelligence. Using sources like LinkedIn, SEC filings, vendor portals, and breached credentials, they build a detailed understanding of your organization’s structure and financial flows.

AI accelerates this phase, scraping email signatures, executive writing patterns, deal terms, and known contact relationships. Attackers build psychological profiles that answer questions like:

• Who approves payments?
• Who travels often or works off-hours?
• What vendors invoice quarterly?
• What phrases does your CFO use in his approvals?

Step 2: Identity Fabrication and Trust Exploitation

Armed with this insight, attackers fabricate identities that blend into your workflows and align perfectly with real-world expectations. These are not generic spoofs. They’re highly personalized impersonations, timed and styled to match your org’s internal cadence.

In many cases, they go further by compromising legitimate accounts. Through account takeover (ATO), attackers gain access to executive, vendor, or employee inboxes, giving them full visibility into active conversations, approvals, and relationships. From there, they reply in-thread, forward realistic requests, and build pressure without triggering suspicion.

Common tactics include:

• Registering a domain one character off from your own
• Compromising a legitimate vendor or executive account
• Inserting messages into ongoing threads for seamless continuity

Everything is calibrated to feel real:

• Subject lines follow internal conventions
• Language mirrors the executive’s writing style
• Signatures, formatting, and even time zones align with expectations

The result is that there are no signs of compromise. Just a request that arrives at just the right moment, appears routine, and often gets acted on without verification.

Step 3: Urgent, Believable Execution

With trust in place, the attacker issues a request that is both urgent and operationally plausible.

Common examples include:

• A wire transfer for a last-minute deal
• A vendor requesting updated banking details
• An executive asking to reroute payroll during travel

To discourage hesitation, attackers reference legal deadlines, executive unavailability, or confidential transactions. The goal is to bypass multi-approver processes and exploit human error.

Typical phrasing includes:

“We’re closing this deal today. Need this wired before EOD.”
“Client’s lawyer just sent revised escrow details—process this now.”
“I’m boarding a flight, can’t talk. Handle this discreetly.”

These requests succeed because they exploit timing, authority, and trust.

And when email alone isn’t enough, attackers escalate, using phone calls, texts, or even video check-ins to seal the deception.

Step 4: Multi-Channel Reinforcement

To increase credibility, attackers now reinforce their requests through multiple channels. Their goal is to push the victim over the line.  

These reinforcements often include:

• A quick voicemail or voice call from the “CFO”
• A text message confirming urgency, using a familiar name or number
• A brief video call that appears to show an executive or attorney

In the moment, these touch-points feel like validation. But in reality, they’re often synthetic, driven by AI-generated voice clones, spoofed phone numbers, or deepfake video feeds. Each layer builds trust and accelerates the response. Victims believe they’re acting on confirmed, legitimate business.  

In one 2024 incident, a finance employee wired $25 million after a convincing video call with a “senior executive” who was, in fact, a deepfake.

The more convincing the message, the fewer questions get asked.  

What Makes BEC So Effective

Business Email Compromise succeeds because it doesn’t look like an attack. There are no suspicious links. No malicious attachments. No obvious red flags. The emails appear routine, the requests seem reasonable, and the senders look familiar.

These campaigns aren’t brute-force intrusions; they’re built to manipulate behavior.

It Feels Like Business as Usual

BEC messages are crafted to blend into existing workflows. Attackers use public data, past communications, and organizational patterns to replicate normal business activity. The tone of voice, formatting, timing, and subject matter all reflect what employees expect to see.

They don’t guess. They study how your company operates.

When a message references an active vendor, uses executive phrasing, and arrives at the expected time, it often gets approved. Familiarity creates confidence. And confident actions often bypass verification.

Urgency is Engineered

Most successful BEC emails create pressure. The request often appears to come from someone with authority. A deal is closing. A payment needs to be rerouted. A legal deadline is hours away. The message signals that action is critical, and time is limited.

This urgency is intentional. It narrows the decision window and discourages the extra step that could stop the fraud.

AI Enables Speed and Scale

Today’s BEC attacks are no longer manual. Attackers use generative AI to launch high-volume, highly believable campaigns with minimal effort. What once took hours of research and hand-crafted emails can now be executed in seconds. AI models generate messages that follow business norms, mimic familiar structures, and avoid obvious red flags automatically.  

In fact, 40% of BEC emails are now AI-generated (Darktrace, 2024).  

Traditional Defenses Do Not Stop These Attacks

BEC attacks do not break systems. They exploit how systems are used. That makes them difficult to detect and nearly impossible to prevent with static controls.

Most email security tools are built to flag known threats. They scan for malware, suspicious links, or unknown senders. BEC emails bypass these entirely. The messages are clean. The language is specific. The sender appears trusted.  

Legacy security awareness training has the same limitations. It teaches users to spot generic phishing attempts, not to question familiar names or credible instructions.  

The attack works because it feels real. The victim carries it out willingly. By the time it’s recognized, the funds are gone or the access has already been exploited.

Real-World Examples of BEC in Action

The most effective BEC attacks are discovered too late: after the wire transfer clears or the vendor data is changed. The real-world incidents below show how attackers exploit routine business processes using deception, timing, and trust.

Each case offers a lesson: weak financial controls, compromised vendors, and the rising role of AI in scaling fraud.

Orion Chemical Manufacturing

Loss: $60 million
Year: 2024
Industry: Manufacturing

Tactic: Vendor impersonation via non-executive employee

A finance employee at Orion was tricked into wiring $60 million to fraudulent accounts after receiving a request that appeared to come from a known partner. They used publicly available information to spoof a trusted third party and crafted a message that fit the context of ongoing transactions (The Record).

Why it worked: The spoofed vendor request fit seamlessly into an active workflow, and missing approval controls allowed it to move forward unchecked.

City of Lexington, Kentucky

Loss: $4 million
Year: 2022
Industry: Public sector / housing
Tactic: Vendor email compromise

Attackers impersonated a nonprofit vendor that distributed federal rent assistance. City employees received what looked like a routine request to update banking details for future payments. Over multiple transfers, the city unknowingly sent $4 million to accounts controlled by fraud actors  (CNN).

Why it worked: Staff accepted the request as routine because it came from a known vendor and involved standard banking updates. Without a secondary validation step, the change was approved by default.

Ubiquiti Networks

Loss: $46.7 million
Year: 2015
Industry: Networking hardware
Tactic: Executive impersonation + fake legal pressure

Ubiquiti Networks lost $46.7 million after a finance executive received fraudulent emails impersonating the company’s CEO and a corporate attorney. The attackers instructed multiple wire transfers as part of a fake acquisition scenario. Over 17 days, 14 transfers were sent to accounts in several countries before the FBI alerted the company to the fraud (Forbes).

Why it worked: Attackers posed as senior leaders and used legal urgency to convince employees to follow wire instructions without escalating or confirming them.

FACC (Austrian Aerospace Manufacturer)

Loss: €42 million (~$47 million)
Year: 2015
Industry: Aerospace
Tactic: CEO impersonation targeting a senior employee

FACC, a supplier to Airbus and Boeing, fell victim to a “fake president” scam when an attacker impersonated the company’s CEO and instructed a senior employee to wire funds for a bogus acquisition. The employee followed instructions and transferred nearly €50 million before the fraud was discovered. Most of the funds were unrecoverable (SecurityWeek).

Why it worked: The attacker exploited positional authority, prompting a senior employee to authorize funds without confirming legitimacy.

Pattern Recognition: What These Attacks Have in Common

What Organizations Can Do Now

Business Email Compromise is no longer just a cybersecurity concern. It is an operational risk that targets human judgment and exploits behavioral gaps across the organization.

The danger lies in how real it feels. One well-timed message, crafted with context and urgency, can lead an employee to unknowingly authorize a seven-figure transaction.

Yet many organizations still rely on static phishing simulations and traditional security awareness training. These tools were built for outdated threats. They cannot stop an employee from trusting a message that looks and sounds legitimate.

Stopping modern BEC requires more than detection. It requires defenses that are proactive, behavior-aware, and dynamic.

Dune Security replaces one-size-fits-all training with User Adaptive Risk Management, a model that adjusts controls based on user behavior, risk level, and real-time context.

This approach allows organizations to:

• Pinpoint high risk user behaviors and intervene before damage occurs
• Prioritize interventions for users who present real exposure
• Reduce alert fatigue and manual reviews with intelligent automation
• Preserve productivity by minimizing friction for low-risk users
• Scale behavior-based protection while decreasing team workload

As attackers scale their campaigns with AI, organizations must evolve faster. Strengthening human-layer resilience takes more than awareness. It requires targeted protection delivered when trust is most vulnerable.