Most people have heard of Business Email Compromise (BEC) — the attack where someone impersonates your CEO or a vendor to redirect a payment. But the way it’s often described makes it sound simpler than it really is. The truth, revealed in recent research into criminal underground forums, is that a successful Business Email Compromise attack is a coordinated, multi-stage operation — one that requires patience, inside knowledge of your business, and an entire supporting infrastructure to pull off.
Understanding how attackers think is one of the best ways to defend against them. With Business Email Compromise causing billions in global losses annually, organizations must move beyond basic awareness to layered defenses.
It Starts Long Before the Email Arrives
Business Email Compromise begins with access to an organizational mailbox or business SaaS account. Once inside, threat actors analyze the account, study the organization’s structure, map financial privileges, learn the procurement process, review internal conversations with vendors, and examine invoices.
Only after gathering all of that does the attacker send the fraudulent request — and by that point, they know exactly who approves payments, what amounts look normal, and which vendors your company regularly pays. The email they send isn’t a guess. It’s informed by real data pulled from your own systems.
This is what makes Business Email Compromise so difficult to detect. A suspicious email from an unknown sender is one thing. But a message sent from a compromised mailbox, inside an existing conversation, using real names, real invoice references, and familiar wording is much harder for employees to question.
Who They’re Targeting Inside Your Organization
Threat actors highly value email accounts of employees from the finance department, as they are tools for understanding financial operations. Inside these accounts, attackers look for accounts receivable, accounts payable, payrolls, invoices, overdue payments, and customer payment relationships.
Corporate leadership and finance staff are the most sought-after targets — and SaaS platforms like Microsoft 365 are the primary entry point attackers pursue in Business Email Compromise campaigns.
Call Centers, Mule Networks, and Pressure Tactics
One of the more surprising details to emerge from underground forum research is just how organized the cash-out side of Business Email Compromise has become. Getting an employee to approve a fraudulent payment is only part of the challenge — the attacker also needs a place to send the money that won’t get flagged immediately.
Threat actors need to find a reliable, operational, and “clean” bank account to finalize the fraud, so they connect to mule networks and use cash-out services. Some operators have run these schemes for years across multiple countries, using peer-to-peer money transfers and even dedicated call centers to pressure companies into authorizing payments faster — before anyone has time to question the request.
A follow-up call can make a fraudulent request feel more legitimate and urgent. For defenders, a second communication channel should not be treated as proof of authenticity if the requester introduced or controlled that channel.
How AI Is Fueling Business Email Compromise Attacks
Just as we covered in our last article about fake AI platform invites, attackers are bringing artificial intelligence into Business Email Compromise campaigns as well. Underground discussions indicate that AI is increasingly being used to generate realistic business correspondence, mimic executive and employee writing styles, and produce context-aware payment requests or invoice fraud emails that blend into legitimate communication.
Rather than relying on a single template, AI enables the creation of thousands of unique email variations, making campaigns more difficult for traditional content-based detection systems to identify. Dedicated underground tools are even being promoted that can generate entire fake email conversation chains, giving attackers a ready-made context to insert a fraudulent invoice into. This evolution makes Business Email Compromise attacks more scalable and harder to spot than ever before.
What Defenders Need to Do
The good news is that understanding how attackers operate gives us a clear playbook for defense. Based on what researchers have uncovered from these underground discussions, here’s what organizations should focus on to combat Business Email Compromise:
- Protect your finance and leadership accounts above all else. These are the highest-value targets. Apply strong multi-factor authentication, monitor for unusual login activity, and limit access to financial systems to only those who genuinely need it.
- Train the right people — not just everyone. General security awareness training is valuable, but the employees who handle invoices, approve payments, or have access to accounts payable need specific, targeted training on Business Email Compromise tactics.
- Create a verification process for payment changes. Any request to change a vendor’s bank account information or redirect a payment — regardless of how it arrives — should require a verbal confirmation through a known, pre-established contact number. Not a number provided in the request itself.
- Don’t treat a phone call as a second form of verification. As the research makes clear, attackers use call centers as a pressure tactic. A follow-up call from someone you don’t know personally is not additional proof — it’s part of the attack.
- Be especially vigilant during vacations and absences. Attackers specifically look for moments when approvers are on vacation or otherwise unavailable, knowing that backup personnel may be less familiar with normal procedures and more likely to approve something unusual under time pressure.
- Consider a managed security partner. Business Email Compromise attacks exploit gaps in process and training, not just technology. A managed security provider can help your organization assess those gaps, implement email security controls, and monitor for signs that credentials have been exposed on the dark web — often the first step in a Business Email Compromise attack.
The Bottom Line
Business Email Compromise isn’t going away — it’s getting more sophisticated, more targeted, and harder to spot. Attackers invest significant time learning your business before they ever send that fake invoice. The best thing you can do is invest equal time in making sure your people, processes, and technology are ready before they do. With losses from Business Email Compromise continuing to climb into the billions globally each year, proactive defense is no longer optional.
Black Belt Secure helps small and mid-size organizations build defenses that match the real threat landscape — not just yesterday’s attacks. Contact us to learn more.
