Enterprise electronic mail compromise (BEC) is commonly described within the media as merely an electronic mail rip-off, however in actuality, it’s a part of a broader, orchestrated operation. Electronic mail itself is just a part of the assault chain. To assist profitable monetization by way of electronic mail fraud, attackers have to be affected person and study the procurement processes inside a corporation and construct or hire the complete infrastructure and operations.
A single BEC typically entails getting access to the focused enterprise, accumulating uncooked information, analyzing the mailbox context, constructing dependable communication channels, accessing dependable fee infrastructure, coordinating every little thing on the proper time, and discovering out how you can transfer the funds after the theft.
Flare researchers sampled and analyzed underground posts associated to BEC over the previous 12 months. Highlights of the findings embrace:
- AI-powered BEC is rising in recognition, decreasing studying time and bettering the “high quality” of fraud.
-
Attackers are primarily fascinated by SaaS accounts (comparable to O365). Company leaders and monetary workers are essentially the most desired targets.
-
There are particular name facilities aimed toward placing stress on focused corporations to finish fraudulent funds.
-
Cashout is the most important bottleneck for BEC, requiring hackers to discover a related enterprise checking account or cashout associate, which is taken into account a comparatively troublesome process.
BEC goes past electronic mail boundaries
BEC begins with entry to your group’s mailbox or enterprise SaaS account. As soon as compromised, attackers typically analyze accounts to probe and map organizations, primarily by understanding organizational construction, notably monetary privileges, procurement processes, inside conversations, vendor communications, invoices, and so on.
As soon as every little thing is collected, the attacker can try a malicious request.

That is what makes BEC troublesome to detect. Suspicious emails from unknown senders are one other downside. However messages despatched from a compromised mailbox utilizing actual names, actual billing references, and acquainted language inside present conversations are a lot more durable for workers to query.
Unsurprisingly, Flare’s information reveals that attackers worth the e-mail accounts of finance workers as a device for understanding monetary operations.
Inside these accounts, attackers are on the lookout for referenced accounts receivable, payables, payroll, invoices, late funds, and buyer fee relationships.

Should you’re not a buyer but, join a free trial to achieve entry.
Case Research: Hacker Dialogue on BEC
A thread referred to as “Enterprise Electronic mail Compromise (BEC) – Experiences and Dialogue” created by a risk actor named Bigjack in January 2026 clearly reveals how this tactic works.

Bigjack described how you can use distant entry malware to achieve preliminary entry, then compromise an organization’s mailbox and use it to ship invoices. The attacker’s questions targeted on empirical and sensible facets of fraud somewhat than technical intrusions.
-
When will the bill be despatched?
-
The right way to create urgency
-
The right way to ask for giant sums of cash with out suspicion
-
Which mailbox data needs to be reused?
-
What proof are you able to current if questioned?
-
What errors can break the operation
The replies present how different risk actors view BEC and their experiences. One attacker emphasised the significance of intercepting the invoice fee course of. One other official stated crucial side is figuring out who’s verifying fee requests and defrauding them. Different attackers emphasize the significance of cashing out, with dependable cooperation and assist being crucial side.
This one communication clearly reveals how risk actors take into consideration BEC. Expertise has taught that attackers should absolutely perceive the procurement course of (proper timing, proper stress, proper financials, proper payee accounts) earlier than they’ll start successfully sending fraudulent invoices.
From compromised monetary accounts to using money withdrawal networks and name facilities, risk actors brazenly plan BEC operations in felony boards.
Flare displays these discussions so we will see when an assault is happening earlier than an bill is distributed.
Uncover BEC underground indicators without cost
Money out half is the bottleneck
Monetizing BEC is almost unattainable with no dependable and appropriate receiving account. Menace actors connect with mule networks and make the most of cashout companies. It is a troublesome process. It is because the attacker must discover a trusted, operational, and “clear” related checking account to finish the fraud.
The risk actor named neoresu emphasizes that particular care have to be taken not solely with the vacation spot checking account, but in addition with the particular person verifying the fee. He additionally talked about utilizing name facilities to offer companies and enhance success charges.
One other actor named “Capita” claimed to have been working a BEC operation in Europe (primarily Germany, Finland, and Austria) for six years, and defined that he used peer-to-peer fund transfers and name facilities to stress corporations to hurry up funds.
Some posts are recruiting cash mules for the BEC scheme. This particularly entails enterprise financial institution accounts and fast cash transfers.

Should you’re not a buyer but, join a free trial to achieve entry.
Help that places stress on name facilities
Some posts additionally point out calls as a part of the BEC course of. Within the Bigjack thread, attackers requested when to name after submitting an bill, whereas one other participant claimed to be working a name middle used to stress companies to hurry up funds.
That is essential as a result of BEC shouldn’t be essentially an email-only rip-off. A follow-up name could make your request really feel extra legit and pressing. For the defender, a second channel shouldn’t be handled as proof of authenticity if the requester launched or managed that channel.
BEC assault utilizing AI
Primarily based on underground discussions, AI is more and more being deployed to enhance the effectiveness and scalability of BEC campaigns.
The next submit by blackhatpakistan explains how risk actors are utilizing AI to generate reasonable enterprise communications, imitating the writing fashion of executives and workers, and crafting context-aware fee requests and bill fraud emails that mix into legit communications.
AI lets you create 1000’s of distinctive electronic mail variations somewhat than counting on a single template, making campaigns harder to determine by conventional content-based detection methods.
Devoted underground instruments are additionally being promoted to generate whole electronic mail dialog chains, permitting attackers to hijack present offers and inject extra plausible fraudulent fee requests.

Should you’re not a buyer but, join a free trial to achieve entry.
Sensible recommendation for defenders
Underground discussions clearly point out that BEC defenses have to be strengthened. Safety posture ought to begin lengthy earlier than the primary fraudulent bill arrives. What we discovered from the attackers:
-
Attackers goal particular folks inside a corporation. Defenders should determine potential targets and apply extra coaching to leaders, finance departments, and people taking part within the procurement course of.
-
Attackers at the moment are utilizing AI-powered artifacts comparable to emails, invoices, paperwork, and messages. Defenders have to determine AI-generated content material and deepfake objects.
-
Attackers use devoted name facilities to stress monetary determination makers and fee approvers into authorizing fraudulent transactions. Defenders want to collect data and study what methods these facilities are utilizing to higher educate related workers.
-
Attackers emphasize the significance of particular time limits when the approver waits for trip, in addition to different suggestions to enhance the success price of the fraud. Defenders ought to study these particular markers and apply additional protection mechanisms throughout particular durations, comparable to worker holidays.
Flare will help by offering safety groups with visibility into these underground markets and monitoring related metrics throughout uncovered worker credentials, company domains, login portals, SaaS purposes, and deep and darkish internet sources.
This permits organizations to detect when entry factors seem in credential assortment or search service advertisements, prioritize essentially the most related exposures, and reply quicker to reset passwords, revoke periods, implement MFA, and examine potential account abuse.
Join a free trial to study extra.
Sponsored and written by Flare.
