Unpacking the real threat behind business email compromise

Business email compromise (BEC) is a way for cybersecurity criminals to slip into inboxes or mimic an executive, vendor, or partner. Here they can make a request that looks ordinary enough to pass as part of everyday business. A wire transfer, a shared document or a vendor update that by the time anyone realizes something is off, the money or data is gone. These schemes rank amongst the most expensive forms of cybercrime because they play directly on trust and routine. 

Healthcare organizations feel its reach even more because of the constant flow of billing and patient data through multiple streams. Attackers can use countless points of access to access data and blend in unseen. Many organizations still rely on staff intuition to detect unusual emails, despite phishing attempts accounting for a noticeable portion of their overall email traffic. 

One study ‘Phishing in healthcare organisations: threats, mitigation and approaches’ captured the scale of that problem directly, noting that “during the 1-month testing period, the organisation received 858,200 emails… 18,871 (2%) identified as potential threats,” and that “around 5 million (3%) [internet transactions] were suspected threats,” When one message out of thousands lands at the right moment, the fallout can last long after he transfer is reversed or the inbox is secure. 

How modern BEC works

Modern BEC attacks are a version of phishing tactics, where cybercriminals use contextualized, grammatically perfect emails mimicking legitimate business communications. These are used to exploit human trust in a way that commonly leverages compromised accounts or subtle domain spoofing to avoid being detected. These attacks operate in stages, namely reconnaissance, impersonation, and exploitation. 

A recent study on malicious traffic titled ‘BEC Defender: QR Code-Based Methodology for Prevention of Business Email Compromise (BEC) Attacks’ reported that, “in 2022 alone, BEC attacks resulted in losses of nearly USD 2.7 billion globally, which is an escalation of approximately USD 350 million from the preceding year (2021), and a notable surge of around USD 860 million from the year 2020.”

Why traditional email security keeps missing BEC

Email security mechanisms like signature-based filters, antivirus software, and protocols like DMARC mitigate BEC attacks because the threats lack malicious payloads. Without a source to trigger detection tools, BEC attacks can slip by unnoticed as they seem like legitimate emails from known sources. 

The study ‘Towards a Multi-Layered Phishing Detection’ states that “these attacks are often successful because they exploit human error, such as trusting an email’s contents without verifying its authenticity,” which explains why so many forged messages slide past technical safeguards entirely.

DMARC and similar header-based filters fail against content manipulation in fraudulent invoices or account compromise, where attackers bypass authentication by hijacking real threads or using lookalike domains. The same research points out that “mail-filtering techniques… prove ineffective at safeguarding the email system against certain types of attacks, particularly those rooted in content manipulation,” and that weakness becomes obvious when criminals insert themselves into real conversations or compromise accounts outright.

Why employees keep engaging

Employees engage with BEC attacks because of the pressure associated with email communication as a job demand. The constant influx of emails creates job tension as employees experience internal and external pressures to respond quickly due to time-sensitive requests. 

According to one JAMA Network study, “2,971,945 emails were sent…422,062 of which were clicked (14.2%).” This is how often employees interact with deceptive messages, even when the emails are only simulations.

The blurring of work and personal boundaries caused by frequent email interruptions leads to cognitive overload, stress, and reduced attention. The study notes, “employees at US health care institutions may be susceptible to phishing emails, which presents a major cybersecurity risk to hospitals,” and that same psychological susceptibility is what BEC actors exploit. These exploit trust and urgency cues in a way that allows for engagement with these attacks despite training efforts. 

What BEC looks like in 2025

The average wire transfer request amount has grown over the years. In one BMJ Health & Care Informatics study alone, researchers found that “2%–3% of all email and internet traffic…was regarded as suspicious/threat, representing >50 million internet transactions and >100 000 emails per annum.” 

The study warns, “hospitals receive a significant volume of potentially malicious emails,” and that pressure doesn’t just affect large systems. Smaller organizations face the same exposure with fewer resources to defend themselves. When attackers have the chance to combine technical mimicry with psychological manipulation, they create a threat that impacts most industries and organizational sizes.  

What actually stops BEC

Generative AI uses natural language processing and behavioral analysis to detect and block phishing emails. AI can use email content for semantic inconsistencies and behavioral anomalies. It doesn’t just scan header or attachments to identify fraudulent intent with more accuracy. 

The previously mentioned healthcare study ‘Phishing in healthcare organisations: threats, mitigation and approaches’ notes that “phishing is a method of attempting to gain potentially valuable details…for malicious reasons, using targeted communications such as email or messaging in which the attacking party encourages recipients to click links to websites running malicious code or to download or install malware.”

AI security solutions like HIPAA compliant email from Paubox also help learn consistently from attack patterns that crop up. It adapts to new tactics used by cybercriminals who employ generative AI themselves to create highly convincing fake emails. Paubox used AI improved email security to protect healthcare organizations by scanning inbound messages for indicator of BEC attacks and automating threat detection. The study found that during just one month, “the organisation received 858,200 email messages…[and] 18,871 (2.2%) identified as potential threats,” a scale no human team can realistically triage. AI has access to many data points like sender behavior, email metadata, and historical communication patterns to proactively identify and prevent BEC attempts at a larger scale than human employees. This fills in those gaps created by employee errors. 

FAQs

What is generative AI in threat detection?

Generative AI in threat detection refers to AI models that can analyze patterns in emails, network traffic, and user behavior to identify malicious activity that traditional security tools often miss.

How does generative AI detect phishing or BEC attempts?

Generative AI examines the content, tone, sender history, timing, and context of messages.

Why is generative AI better than traditional security filters?

Traditional filters rely on signatures, known bad URLs, or clear-cut payloads. Generative AI identifies intent, not just indicators.