Cybersecurity blog

Business Email Compromise: The Silent (and Costly) Threat

Learn what Business Email Compromise (BEC) is, how it works, and how to protect your business from these costly phishing attacks with expert tips.

Get Started
Speak to an Expert

Geraldine Hunt

Business Email Compromise (BEC) scams have been called the “$55 million scam” by the FBI. For any business, BEC scams are something to be concerned about. This attack is highly focused on financial theft and is increasingly successful. For example, the Health Sector Cybersecurity Coordination Center (HC3) has identified BEC as one of the most financially damaging threats in the healthcare sector. Notably, small to medium-sized companies and MSPs are not exempt; a recent study from TitanHQ and Osterman Research found that over 1 in 5 MSPs (21.6%) lost money to BEC attacks in the last 12 months (research completed March 2025). The study concludes that “BEC attacks represent a major threat for organizations.”

BEC attacks may be a favorite of cybercriminals, but there are ways to prevent this costly crime.

Overview of a BEC Scam: It’s all about Trust and Timing

Understanding the dynamics of a BEC scam is essential for developing methods to protect a business from an attack. There are various types of BEC scams with financial targets focusing on invoices, gift cards, and bank transfers. However, one thing is certain: BEC scams are evolving with technological and cultural changes.

The Osterman study found the following trends in BEC scams:

BEC attackers are concentrating on choosing specific targets rather than deploying mass phishing.
BEC phishing is sophisticated and carefully composed. It avoids typical phishing tricks like malicious links to evade detection by Security Email Gateways (SEGs). Also, SEGs are unable to use geolocation data, which is critical in identifying sophisticated threats like BEC.
A lack of expected phishing signals has meant that conventional secure email gateways (SEGs) are unable to defend against BEC attacks. The Osterman research found that Exchange Online Protection (EOP) in Microsoft 365 could not identify BEC attacks, classifying them as “clean.”

BEC scammers are creating campaigns that are bucking the trends seen in previous untargeted mass phishing attacks. Modern BEC campaigns are more dynamic and real-time, using multiple channels to confuse and obfuscate intent. AI is being used to modify and adapt campaigns and evade detection by conventional methods of protection.

Exploiting Trust

One of the most complex BEC scams that is challenging to detect and prevent is when scammers impersonate a trusted executive or partner. This may involve using account takeover to control the executive's email or spoofing the email account. Either way, the impersonation preys on trust. If the scammer can trick the victim, e.g., someone in accounts payable, into believing they are the executive, then it is more likely that the scammer can manipulate that trusted relationship. Once the victim believes they are dealing with an executive of the company, they will be more likely to carry out orders, i.e., send money to the attacker's bank account, believing it is a legitimate payment request.

Perfect Timing

Timing also plays an integral part in a successful BEC attack. Attackers carefully target and monitor their victims, looking for signs of the right time to strike. For example, a BEC scammer may have stolen login credentials and compromised one of the key email accounts required for the scam. This allows them to monitor email traffic, looking for the correct invoice to modify or a sign that the company is adding new partners, etc.

Both trust and timing are essential elements in a successful BEC scam. However, the entry of AI into the scammer's game has provided the technology to make the manipulation of trust and timing a stark reality.

Read more on the types of BEC scams: A Guide for MSPs to Prevent Business Email Compromise (BEC)

How AI is Used in BEC Scams

AI is powering cybersecurity attacks, including BEC scams. AI is used across the board to make cyberattacks more effective and successful. A recent survey has found that AI assists around 40% of BEC scams. The following areas are examples of how AI is driving BEC scams to more excellent success rates and increasing the likelihood of substantial losses at MSPs and their clients:

The Intelligence to Circumvent Trust

Generative AI bots and AI agents are being used to identify and gather intelligence on a BEC target. Cybercriminals need to understand the victim and the company deeply. There has been a significant rise in the use of Large Language Models (LLMs) for reconnaissance and gathering intelligence for cyberattacks. AI agents can rapidly scan public-facing databases, social media, news sources, and dark web forums for information on a target.

This intelligence is used to identify targets and build a victim's profile. It is then used to design the BEC scam and develop the pathways to the attack's execution.

Generative AI uses the victim's data to craft BEC email communications.

Trust and the Deepfake

BEC scammers are using deepfake videos and audio to exploit trust even further. A recent attack on engineering firm Arup resulted in a loss of $25 million due to an AI-assisted BEC attack. The BEC scammers targeted a finance employee, inviting him to a video conference with the “Chief Financial Officer (CFO).” The CFO turned out to be a deepfake.

All told, the use of AI in BEC and other cyberattacks is set to make detection even harder by reducing the time taken to exploit account exposure by 50%, according to Gartner Inc.

Must-Have Protection for MSPs and their Clients

With costs estimated at an average of $137,132 per BEC incident, it is essential to put measures in place to stop these attacks. BEC scammers are upping their game by using stealth and sophistication. BEC has always exploited trust, but deepfakes and Generative AI have provided tools that take BEC scams to new levels of deceit. The TitanHQ and Osterman's "State of email security in 2025’ study has unfortunately identified gaps in conventional email security: BEC emails may not have standard phishing signals like malicious links, so conventional security email gateways miss these cyberattacks. Osterman recommends using a mix of Human Risk Management (HRM) and AI-powered email security tools. Their recommended approach includes the following measures:

AI-powered security solutions: tools that use AI can adapt to new attack methods
AI that provides automated incident response.
Highly personalized security awareness training: use AI to create targeted phishing campaigns based on individual employee behavior.
Automated threat reports creation for review or investigation.
Baseline standard communication patterns of every employee. AI can then look for anomalies in these patterns to identify even sophisticated, non-standard BEC attacks.

What is PhishShield, and How Does it Help Prevent BEC Attacks?

PhishShield is a feature of the TitanHQ cybersecurity platform that uses defensive AI technologies to fight fire with fire. As a next-generation email threat detection solution that seamlessly integrates with platforms like Microsoft 365, PhishShield catches sophisticated cyberthreats that conventional Security Email Gateways miss. PhishShield utilizes Natural Language Processing (NLP) and machine learning to identify hidden email threats. By using AI to assist in identifying BEC scams, PhishShield provides evasive phishing campaign detection. The difference between PhishShield and other anti-phishing technologies is the ability to determine intent to manipulate or deceive, which is impossible for conventional SEGs to spot.

TitanHQ CyberSecurity Platform

TitanHQ is dedicated to providing MSPs with purpose-built AI-assisted email security technology. Our CyberSecurity Platform is based on the following capabilities:

LLM and AI analysis of emails
Auto Remediation to eliminate threats from users’ inboxes
Advanced M365 security to augment existing native SEGs. Offers native and API-based integration
Real-time analysis and threat assessment to identify intent and spot sophisticated BEC messages
Integrated behaviour-led security awareness training that offers hyper-personalized training

TitanHQ’s CyberSecurity platform is designed with MSPs in mind and incorporates the following:

Simplify license management across all services
Global dashboard allowing management of unified solutions
Unified billing and contracts
Rapid and flexible scalability

The mix of AI-assisted email security technology and HRM-based security awareness training gives MSPs and their clients the edge in identifying and stopping BEC campaigns.

How prepared are your SMB clients for today’s email threats? Let’s talk about how a smarter, human-centered approach backed by AI can help you stay ahead. Get a free demo and see it in action.

Talk to our Team today

Get Started
Speak to an Expert

PhishTitan

SpamTitan

TitanHQ SAT

WebTitan

ArcTitan

EncryptTitan

Managed Service Providers

Education - K12 Schools

Financial Services

SMBs

Hotels - Wifi

Guest WiFi

Employee Phishing Training

Phishing Simulation Tool

Anti-Phishing Filter

Data Leak Prevention

Cisco Umbrella Alternative

Barracuda Essentials Alternative

DNSFilter Alternative

Mimecast Alternative

Microsoft EOA Alternative

About

Testimonials and Case Studies

Careers

Branding

Events

MSP Partners