Business email compromise is the most expensive crime in cybersecurity. Not ransomware, not data breaches, business email compromise: a believable message that convinces someone to send money or change a payment detail. It has always worked because it targets trust and routine rather than technology. AI has now removed its last weaknesses, the typos and the clumsy phrasing that used to give it away, and handed attackers the ability to write a flawless reply inside a real conversation. If your defence against this is a spam filter and a hope that staff will notice something off, you are exposed to the single costliest attack going.
This is the seventh post in our series on how AI is reshaping each layer of your security stack, it builds directly on the human layer post, and the full ecosystem overview ties the whole series together.
The FBI’s Internet Crime Complaint Centre attributed around 2.77 billion US dollars in losses to business email compromise across more than 21,000 reported incidents in a single year, and the real figure is higher because so much goes unreported. What makes it so effective is what it lacks. A classic BEC message often has no malicious link and no attachment for a filter to catch. It uses real names, real business context, and the pressure of authority or a deadline. The 2025 Verizon Data Breach Investigations Report found phishing drove 36 percent of confirmed breaches, and BEC is its most profitable form.
AI has made these messages mirror exactly how your business communicates. They reference real projects, mimic a supplier’s tone, and arrive at precisely the right moment in a payment cycle. The crude “urgent wire transfer” request is fading: direct wire requests now account for only around 4 percent of BEC cash-outs. The modern game is quiet payment redirection inside workflows that already exist. It has also industrialised, with criminal markets selling business-email-compromise kits complete with templates and fake personas, so the barrier to running a convincing campaign has collapsed.
The first is thread hijacking and vendor invoice fraud. An attacker inserts themselves into a genuine email conversation about a real invoice and quietly supplies “updated” bank details. Because the request lands inside a real thread, with real participants and the right timing, it carries built-in credibility. The second, and more dangerous, is account takeover. Once an attacker is inside a legitimate mailbox, the fraudulent emails come from a real, trusted address and pass every authentication check, because they genuinely originate from your domain. Defences that only scan inbound external email never see them.
Every business should have SPF, DKIM, and DMARC configured, ideally progressing from a monitoring policy through to full reject, because they stop criminals spoofing your domain from the outside. But here is the part many providers gloss over: those protocols do nothing once an attacker is operating from inside a real account. Account takeover is the primary enabler of serious BEC, and the primary defence against account takeover is strong, phishing-resistant multi-factor authentication, backed by something that watches accounts for compromise after login.
That is how we approach it. Phishing-resistant MFA and conditional access, covered in our Zero Trust post, make stolen credentials far harder to use. Huntress ITDR watches your Microsoft 365 accounts for the signs of takeover that authentication alone will miss. Email authentication is configured properly rather than left half-done. KnowBe4 training prepares the people. And underneath it all sits the one control that defeats the payment itself. It all ties into our managed cyber security.
| Defence layer | What it stops | The gap it leaves |
|---|---|---|
| SPF, DKIM, DMARC | Criminals spoofing your domain from outside | Nothing once a real account is compromised |
| Phishing-resistant MFA | Account takeover using stolen passwords | Staff being talked into acting |
| Identity threat detection (Huntress ITDR) | Account takeover after it occurs | The payment itself if the process is weak |
| Payment verification policy | Fraudulent payments and bank-detail changes | Requires consistent discipline |
| Awareness training (KnowBe4) | Staff acting on a convincing request | Occasional human error remains |
The single most effective defence against payment fraud is a process rule, not a product: no bank-detail change, invoice payment, or transfer is ever actioned on the basis of an email alone. Every change is verified by calling the supplier or colleague on a known, previously held number, never a number supplied in the message. It is free, and it defeats both thread hijacking and account takeover, because it does not matter how genuine the email looks if the payment is confirmed through a separate channel.
Enforce DMARC and phishing-resistant MFA. A DMARC policy left on monitoring, or MFA that can be phished, are gaps attackers actively look for. Move DMARC to reject and roll out phishing-resistant MFA to finance and executives first.
Add identity threat detection and internal email visibility. If your security only inspects inbound external mail, account-takeover BEC is invisible to you. You need to see internal-to-internal activity and watch accounts for compromise.
Put the payment verification rule in writing and enforce it. This is the control that stops the money leaving. Contact Epic IT for a free Microsoft 365 security review and we will show you where your BEC exposure sits.
Next in the series: network segmentation in a world of autonomous AI agents.
Our Perth-based team can run a free Microsoft 365 security review and map your exposure to business email compromise. Contact us on 1300 EPIC IT.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
