AI-Powered Business Email Compromise: The 2026 Playbook

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a fraud scheme in which an attacker takes over or impersonates a legitimate email account to trick employees into wiring money, changing banking details, or sending sensitive information. The attacker either compromises a real mailbox at the target organization (or at one of its vendors), or stands up a look-alike domain that mimics a trusted sender. Either way, the message arrives looking legitimate.

The FBI's Internet Crime Complaint Center (IC3) tracks BEC as its own category and has done so for a decade. In their 2024 Annual Report, BEC ranked as the second-most-financially-damaging cybercrime category, behind only investment fraud.

What BEC is not is malware. There is no payload, no encrypted file, no exotic exploit chain. BEC weaponizes trust, urgency, and the mechanics of business itself: invoices, wire transfers, payroll, banking changes, executive instructions. That is what makes it so financially destructive and so hard to stop with the security tools most organizations already own.

BEC by the numbers (verified 2024-2025 statistics)

The FBI IC3 2024 Annual Report (published April 2025) confirmed Business Email Compromise as a $2.8 billion problem in a single year, across 21,442 complaints. That is an average reported loss of approximately $130,000 per incident, though the median is lower (around $50,000 per Verizon DBIR 2025) because a small number of very large wire frauds skew the mean upward.

Verizon's 2025 Data Breach Investigations Report added an important shape to the data: pretexting attacks have nearly doubled and overtaken phishing as the dominant BEC technique. Pretexting is the social-engineering subcategory where an attacker constructs a believable narrative (a CFO traveling abroad, a vendor switching banks, an urgent acquisition) rather than throwing a generic phish at the inbox. Pretexting is what AI is making industrial.

How AI has changed BEC in 2025-2026

The old BEC playbook was one well-crafted email. The new one is a sustained, multi-turn conversation, run by an AI agent that reads your replies, mirrors your tone, and stays in character for weeks. That shift is why we call it AI-Powered Business Email Conversation Compromise. Five concrete changes account for most of the damage:

1. AI writes the phishing email now

By April 2025, 82% of phishing emails were AI-generated, exceeding the rate of human-written phishing for the first time. SlashNext reported a 1,265% increase in phishing email volume since the launch of ChatGPT. The classic warning signs (poor grammar, awkward phrasing, generic templates) are gone. Modern AI-written phishing is fluent, contextually accurate, and individually tailored to the victim using OSINT.

2. Voice cloning defeats callback verification

The traditional control against wire fraud was "call to verify." That control depended on the executive's voice being recognizable. In 2025, AI tools clone a voice from three seconds of public audio (a LinkedIn video, podcast clip, or voicemail greeting). U.S. deepfake fraud losses reached $1.1 billion in 2025, triple the $360 million reported in 2024. The average loss per voice-clone attack is $243,000.

3. Deepfake video calls authorize real wires

In February 2024, a finance employee at engineering firm Arup wired $25.6 million across 15 transactions after a Zoom call where every other "executive" on the call (including the CFO) was an AI-generated deepfake. In March 2025, a multinational firm in Singapore lost $499,000 in an identical playbook. The shift is profound: even seeing and hearing the executive is no longer proof of identity.

4. PhaaS makes MFA bypass turnkey

Phishing-as-a-Service (PhaaS) platforms have industrialized adversary-in-the-middle attacks. Tycoon 2FA alone accounted for roughly 62% of Microsoft-blocked phishing in mid-2025, including 30 million fraudulent emails in a single month. Tycoon 2FA, EvilProxy, Sneaky 2FA, and Mamba 2FA all sit between the victim and the real M365 or Google login page, steal the session cookie, and walk past traditional MFA. We cover this mechanism in detail in the next section.

5. One attacker now runs thousands of parallel BEC threads

The economic logic of BEC has flipped. Before AI, an attacker had to write, monitor, and respond to a small number of high-value threads manually. With LLM-driven response automation, a single human operator now supervises hundreds of simultaneous BEC conversations, with the AI handling routine replies and only escalating to the human when the victim raises a non-trivial objection. The cost per attempted fraud has collapsed, and the volume has exploded accordingly.

Why MFA does not stop AiTM phishing

This is the question most security leaders are asking in 2026: "We have MFA. Why are we still getting hit?"

Adversary-in-the-Middle (AiTM) phishing works like this:

1. The victim clicks a phishing link in an email.
2. The link points to a reverse-proxy server controlled by the attacker, running a kit like Tycoon 2FA, EvilProxy, Sneaky 2FA, or Mamba 2FA.
3. The proxy forwards every keystroke and response to and from the real Microsoft 365 or Google login page. The victim sees the legitimate login page.
4. The victim types their real password. The proxy forwards it. The real M365 backend accepts it and prompts for MFA.
5. The victim approves the MFA prompt (tap, OTP, push, whatever method). The real backend accepts it and issues a session cookie.
6. The proxy steals the session cookie and hands it to the attacker.

The attacker now has a valid, authenticated session in the victim's M365 tenant without needing the password or any MFA challenge. From the M365 audit log, the login looks legitimate. EDR has nothing to flag, because nothing touched the endpoint.

Vendor Email Compromise (VEC), the dominant 2025 pattern

If you only know the BEC playbook from old training, you may be picturing the wrong attack. Vendor Email Compromise (VEC) is now the dominant variant, and it is shaped differently than the classic "CEO emails the CFO" scam.

In VEC, the attacker first compromises a vendor's mailbox, not yours. They then read the vendor's outbound payment history, identify the vendor's customers, and craft fraudulent invoices or banking-change requests that arrive at those customers from the legitimate vendor email address. The message lands inside an existing, trusted thread, often weeks or months after the relationship was established. Your AP team has no reason to suspect it.

The Abnormal Security 2025 VEC research is striking:

• 83% of large enterprises experienced a VEC attack in 2024.
• VEC engagement rate is 90% higher than traditional BEC, meaning more victims actually act on the fraudulent request.
• 98.5% of VEC scams go entirely unreported, usually because the loss is only discovered after the money is gone and the relationship audit reveals the swap.
• Attackers attempted over $300 million in VEC theft in a single 12-month window.
• Telecommunications was the industry with the highest VEC engagement rate at 71.3%, followed by energy and utilities at 56%.

The defense against VEC is procedural, not technical: out-of-band callback verification to a phone number from your vendor master file, never the number in the email signature. That control alone, applied consistently to every banking-detail change, blocks the dominant VEC outcome.

The 5-phase BEC attack chain

Modern BEC, whether AI-augmented or classic, follows a consistent five-phase shape. Each phase has specific controls that can stop the attack.

Phase 1: Compromise

The attacker gets a foothold inside the target mailbox. In 2025-2026, the dominant method is AiTM phishing as described above. Secondary methods include OAuth consent phishing (tricking the user into authorizing a malicious app), credential stuffing against legacy authentication protocols (IMAP, POP3, basic SMTP), and password reuse exposed from external breaches.

Phase 2: Watch

Once inside, the attacker establishes silent persistence. The signature moves are hidden inbox rules (forward all incoming mail to an external address and move the original to RSS Subscriptions or Conversation History so the user never sees replies), mailbox-level ForwardingSmtpAddress (set via Exchange Online cmdlets or Graph API, invisible to the user in Outlook), and OAuth grants to attacker-controlled apps with Mail.Read or Mail.ReadWrite scope to maintain access even after a password reset.

Phase 3: Identify

The attacker (or an AI agent acting on their behalf) reads weeks of email history to map the organization's vendors, approval workflows, accounting cycle, and pending invoices. Specific keyword searches: "wire," "ACH," "invoice," "banking details," "routing number," "remit to." The objective is to find an in-flight payment to intercept.

Phase 4: Strike

The attacker either replies inside a legitimate vendor thread or sends a new message from a look-alike domain (typosquat, Unicode homograph, or alternate TLD). The content is a banking-detail change, an updated invoice, or an urgent wire request. If the AP team pushes back, the attacker may escalate with a voice-cloned phone call from the "executive" to resolve the doubt.

Phase 5: Drain

The money moves through a wire transfer (88% of BEC cases per Verizon DBIR 2025) to a mule account, which then redistributes through 3-5 hops in under four hours to defeat recovery. The FBI's Financial Fraud Kill Chain can sometimes recover wires of $50,000 or more if detected within 72 hours, but recovery rates collapse fast after that window closes.

The 10 controls that prevent AI-BEC

These are the controls that actually stop AI-Powered BEC in 2026. Numbered for priority. The first six stop the attack chain; the last four catch it if the first six fail.

1. Phish-resistant MFA on every account. FIDO2 hardware keys (YubiKey, Titan, Feitian) defeat AiTM session-cookie theft. SMS OTP, authenticator-app OTP, and push approvals do not. In Microsoft 365: Entra ID, Security, Authentication methods, enable Passkey (FIDO2). In Google Workspace: Security, 2-Step Verification, "Only security keys" plus the Advanced Protection Program.
2. Disable external auto-forwarding tenant-wide. Microsoft: Defender, Anti-spam, Outbound spam policy, set AutoForwardingMode to Off. Then PowerShell: Set-RemoteDomain Default -AutoForwardEnabled $false. Google: Admin Console, Apps, Gmail, End User Access, disable "Automatic forwarding."
3. Out-of-band callback verification for every money movement. Phone-back to a number from your vendor master file, never the number in the email. Pair with a pre-shared codeword for executive requests, because voice clones now defeat voice-only verification.
4. Continuously audit inbox rules and ForwardingSmtpAddress. Weekly PowerShell scan for rules with forwarding actions, single-character rule names, rules forwarding to RSS Subscriptions, and any mailbox with ForwardingSmtpAddress set.
5. DMARC enforced at p=reject. p=quarantine sends suspicious mail to spam, where employees still trust it. p=reject blocks delivery entirely. Pair with SPF and DKIM alignment, plus BIMI for the visual indicator.
6. Block legacy authentication and enforce Conditional Access. IMAP, POP3, and basic-auth SMTP do not support MFA at all. Block them tenant-wide, then require phish-resistant MFA plus a compliant device via Conditional Access (Microsoft) or Context-Aware Access (Google).
7. Look-alike domain monitoring and defensive registration. Continuous monitoring (DNSTwist, DomainTools, Cyvatar External Exposure Scan) catches typosquat registration before the first phish arrives. Pre-register the obvious look-alikes for your primary domain.
8. AI-aware inbound email filtering. Traditional signature-based gateways are blind to LLM-written BEC. AI-aware filters (Microsoft Defender for Office 365 with AI signals, Mimecast, Cloudflare Email Security, Abnormal Security) detect tonal anomalies, impersonation patterns, and behavioral deviations.
9. Mailbox audit logging exported to SIEM. Enable mailbox auditing on every mailbox (Microsoft: Set-OrganizationConfig -AuditDisabled $false plus UnifiedAuditLogIngestionEnabled $true). Ship the logs to a SIEM with alerting on forwarding-rule creation, mailbox-audit disable, and bulk mailbox searches.
10. Phishing simulations plus a written money-movement playbook. Quarterly simulations specifically targeted at finance, AP, and executive admins. A printed playbook documenting callback verification, dollar-thresholded approval matrix, and an incident-response quick card for when something goes wrong. Cyvatar publishes a free Manual Controls Playbook for download.

How to detect BEC in Microsoft 365

Run these commands this week. If you find any of the indicators, treat the mailbox as compromised: rotate the password, revoke all active sessions, audit OAuth grants, and engage your incident-response provider.

Find forwarding inbox rules across all mailboxes

Get-Mailbox -RecipientTypeDetails UserMailbox | Get-InboxRule | Where {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo}

Find mailbox-level forwarding (invisible in Outlook)

Get-Mailbox | Where {$_.ForwardingSmtpAddress -or $_.ForwardingAddress} | Format-Table DisplayName,ForwardingSmtpAddress

Confirm mailbox auditing is enabled

Get-OrganizationConfig | Format-List AuditDisabled,UnifiedAuditLogIngestionEnabled

Indicators of compromise

• Inbox rules with single-character names (".", " ", "a") or no name
• Rules that forward externally and move the original to RSS Subscriptions, Conversation History, or Junk
• Rules with the action "delete after forwarding"
• Mailbox audit suddenly disabled within the last 90 days
• OAuth grants to unknown enterprise applications with Mail.Read or Mail.ReadWrite scope
• New ForwardingSmtpAddress on a mailbox where the user has no reason to forward externally

Cyber insurance and BEC: the fine print

BEC was the leading cause of cyber-insurance claims globally in 2025, accounting for 31% of all incidents. But the payout is rarely the full policy limit. Several caveats every executive should understand before a claim event:

• Social engineering or funds transfer fraud is almost always a sub-limit, not the policy face value. Typical sub-limit: $100,000 to $250,000, even on a multi-million-dollar primary policy.
• Carriers increasingly require documented callback verification for the claim to pay. If finance wired without out-of-band verification, the claim may be denied.
• "Voluntary parting with funds" exclusions apply in many policies, even when the parting was the result of deception.
• MFA evidence is now required on the compromised mailbox at the time of incident. If MFA was off, expect denial.
• 72-hour notice clauses require carrier notification within hours of suspected loss, not days.

If you are renewing a cyber policy in 2026, read the social-engineering and funds-transfer-fraud rider line by line, and challenge any callback-verification or MFA evidence requirements before signing.

How Cyvatar prevents BEC

Cyvatar deploys the full AI-BEC defense stack in 30 days, manages it for you continuously, and proves your posture quarterly. The mapping by attack phase:

• Compromise (Phase 1): Phish-resistant MFA via Okta with FIDO2, Conditional Access requiring trusted devices, AI-aware inbound email filtering through ESM.
• Watch (Phase 2): User Account Monitoring (powered by Red Canary identity detection) catches impossible-travel, suspicious OAuth grants, and audit-log anomalies. SIEM Data Lake retains 90+ days of mailbox activity for IR.
• Identify (Phase 3): Behavioral baselines flag unusual mailbox-search patterns and bulk-read activity.
• Strike (Phase 4): External-exposure scan continuously monitors look-alike and typosquat domains. ESM detects tone-anomaly impersonation. Procedural controls (Manual Controls Playbook) defeat voice clones.
• Drain (Phase 5): 24/7 incident-response coordination through Agentic vCISO; Booz Allen Hamilton partnership for major incidents.

Cyvatar's track record: seven years, 226 customers, zero major breaches or ransomware. The full BEC reference page with the attack-chain infographic, every control with exact admin paths for Microsoft 365 and Google Workspace, real 2025 incident examples, and the email-gated Manual Controls Playbook download lives at cyvatar.ai/bec.

Sources

• FBI IC3 2024 Annual Report (Apr 2025), confirms $2.8B in 2024 BEC losses, 21,442 complaints, $8.5B cumulative 2022-2024.
• Verizon 2025 Data Breach Investigations Report, pretexting doubled, 88% of BEC funds move via wire, median loss ~$50K.
• Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale (Microsoft Security Blog, Mar 2026), Tycoon 2FA = 62% of Microsoft-blocked phishing mid-2025.
• Abnormal Security: VEC engagement data (Jun 2025), 83% of large enterprises hit by VEC, 90% higher engagement than BEC.
• Abnormal Threat Report: BEC and VEC trends (2025), 98.5% of VEC unreported, $300M attempted theft in 12 months.
• SlashNext / Infosecurity Magazine, 1,265% rise in phishing email volume since ChatGPT launch.
• Insurance Times 2025, BEC = 31% of global cyber-insurance claims in 2025.