Business email compromise continues to increase as attackers use generative AI to sharpen social engineering campaigns, leaving organizations with costly losses and eroded trust.
What happened
Business email compromise (BEC) has become one of the most expensive cybercrimes facing organizations worldwide. According to the FBI IC3’s Internet Crime Report, BEC caused $2.8 billion in losses in 2024 alone, with a total of $17.1 billion reported since 2015.
BEC thrives because it rarely involves malware or suspicious links. Instead, it exploits human trust. Messages arrive impersonating executives, colleagues, or vendors, carrying urgency that pressures employees into making costly mistakes before fraud is detected.
Going deeper
BEC takes multiple forms, including:
- Wire transfer fraud: spoofed executive requests for urgent payments
- Invoice fraud: fake vendor invoices with altered banking details
- Payroll diversion: fraudulent paycheck rerouting requests
- Gift card scams: urgent appeals for employees to purchase and share gift card codes
The problem is getting worse. Attack volume grew by more than 50% between 2023 and 2024, fueled by cybercriminals using generative AI to create convincing, error-free messages that mimic legitimate communication styles. For CISOs, this change brings not just financial risk, but also reputational damage and operational strain as staff spend time second-guessing increasingly realistic messages.
The big picture
BEC attacks succeed because they don’t rely on the traditional signals that legacy secure email gateways were built to detect. Messages often arrive without malware, links, or suspicious attachments, which allows them to bypass filters undetected.
Paubox recommends Inbound Email Security as a modern defense. Generative AI evaluates context, tone, sender behavior, and relationship patterns to flag anomalies in real time. Fraudulent emails are stopped before they ever reach inboxes, giving organizations protection against one of the most financially damaging forms of cybercrime.
FAQs
Why does BEC cause higher losses than other cyberattacks?
BEC directly exploits financial processes like wire transfers and payroll, resulting in immediate, large-dollar losses compared to data theft or malware damage.
How is generative AI changing BEC?
Attackers use it to craft error-free, highly targeted emails that closely mimic the style and tone of real executives or vendors, making detection by humans or filters much harder.
Why can’t legacy security tools stop BEC?
Traditional filters look for malicious links, attachments, or known-bad domains. BEC emails are often plain text from legitimate domains, making them invisible to those defenses.
What part does employee training play?
Training is helpful, but no amount of awareness can fully prevent mistakes when attackers apply urgency and pressure. Technology must step in to close that gap.
What’s the most effective defense against BEC?
Generative AI-driven inbound email security, like Paubox’s, analyzes context and intent rather than just technical indicators, detecting and blocking fraud before it reaches inboxes.
Farah Amod
