In the past decade, few cybercrimes have proven as costly—or as difficult to stop—as business email compromise (BEC). According to the FBI IC3’s Internet Crime Report, organizations lost $2.8 billion in 2024 alone, contributing to a staggering $17.1 billion in reported losses since 2015.

While other attacks have come and gone, BEC continues to thrive because it doesn’t rely on malicious links or attachments. Instead, it exploits the one weakness every organization has—human trust.

What makes BEC so dangerous is its simplicity. Unlike phishing or malware, these attacks rarely include suspicious links or attachments. Instead, they rely on psychology. A message arrives from what appears to be a trusted colleague, a senior executive, or even a known vendor. It carries urgency and by the time the fraud is discovered, the money is long gone.

Cybercriminals rely on social engineering tactics that exploit trust and urgency, tricking employees into costly mistakes. These attacks often take the form of:

• Wire Transfer Fraud: Urgent requests from a spoofed executive demanding immediate payment.

• Invoice Fraud: Fake vendor invoices with altered payment details, often slipping past even the most diligent accounts payable teams.

• Payroll Diversion: HR staff receive requests to reroute an employee’s paycheck, only to find the funds flowing to a criminal’s account.

• Gift Card Scams: Disguised as casual requests, especially around the holidays, these attacks pressure employees to buy and share gift card codes.

Business email compromise is not only growing—it’s evolving. Abnormal research found that BEC attack volume rose by 54% between 2023 and 2024. This surge coincides with cybercriminals’ adoption of generative AI, which makes it easier than ever to produce convincing, error-free emails that mimic the tone and style of trusted colleagues or vendors.

For CISOs, this evolution creates a compounding challenge. The financial risk remains obvious, but there’s also the operational burden, as employees and security teams lose valuable time double-checking messages that look increasingly authentic. And perhaps most damaging of all is the reputational fallout: when customers, partners, or regulators discover that your organization was duped by an email, trust erodes quickly.

Legacy email security solutions like secure email gateways (SEGs) were built to catch spam, malware, and links leading to malicious sites. But BEC messages are often plain text and sent from legitimate domains, which means they pass through traditional filters undetected. Once in the inbox, the burden falls on employees to decide whether the request in front of them is genuine or fraudulent. Attackers know this—and they exploit urgency and trust to push employees into making errors.

For CISOs, the situation is increasingly complex. Training employees is valuable, but people will always make mistakes—and attackers know it. Now that AI is helping adversaries produce flawless, highly targeted messages, relying on training alone is no longer enough. The only real solution is a different kind of defense, one that doesn’t just look for bad links or attachments but understands whether the email itself makes sense in context.

What’s needed is a fundamentally different approach—one that doesn’t just react to known threats but understands the context and intent of every email. Modern defenses against BEC are built on three principles:

• API-Based Architecture that integrates with Microsoft 365 and Google Workspace to analyze signals beyond the message itself, such as risky logins or mailbox rule changes.

• Behavioral AI that learns normal communication patterns and flags anomalies when something looks suspicious.

• Organizational Insights that map relationships inside and outside the company, allowing the system to spot when a message doesn’t fit the usual flow of communication.

By adopting AI-native platforms that analyze identity, context, and behavior in real time, organizations can stop these attacks before they ever reach employee inboxes.

Unfortunately, BEC isn’t going away anytime soon. If anything, attackers will continue to refine their strategies with the same AI advancements that CISOs and security teams are adopting. The most effective defense is proactive—blocking malicious messages before they hit inboxes.

That’s why leading organizations are turning to AI-native security platforms like Abnormal, which analyze identity, context, and behavior to detect anomalies in real time and remediate threats in milliseconds. By shifting the burden from people to technology, these defenses reduce risk and prevent attackers from exploiting human trust.

As adversaries grow more sophisticated, organizations must respond with equal precision, using context-driven innovation to safeguard their workforce against the $2.8 billion threat that continues to rise.

Interested in learning more? Download the CISO Guide to BEC today!