chat
expand_more

How BEC Attacks Are Evolving in the AI Era

Discover how to protect your business from sophisticated BEC attacks, including vendor email compromise, AI-generated scams, and email thread hijacking.
August 1, 2024

This article originally appeared in SC Media.

Email scams targeting businesses have existed since the early days of email. Many of us are familiar with the “Nigerian Prince” scams that characterized phishing attacks in the 1990s, which duped thousands of people despite their absurdity. But as they became more common, costing more people significant amounts of money, awareness of these kinds of attacks grew until threat actors were forced to pivot to other more effective tactics.

That gave way to business email compromise (BEC) attacks—an evolution of traditional phishing scams that grew in popularity over the last decade. The hallmark of a BEC attack is impersonation, where criminals pretend they are trusted identities (usually colleagues or company executives) through spoofed email addresses or compromised accounts, and trick their targets into divulging sensitive information or making unauthorized financial transactions.

CEO gift card scams are one of the hallmark BEC types we’ve seen in recent years. While these kinds of attacks were initially highly successful—especially because of their exploitation of human trust—most organizations have effectively trained (or are actively training) their employees to spot these attacks before it’s too late.

This puts threat actors right back at the beginning of their innovation cycle. What will they do next to refine or create new BEC attack tactics in an effort to outwit their targets? As the latest FBI Internet Crime Report shows, BECs still remain a significant threat to modern enterprises, exposing them to billions of dollars in losses each year. As a result, it’s critical for CISOs to keep up with their shifting tactics.

Here are just a few emerging BEC methods that are increasingly occurring, which security leaders should watch for.

Vendor Email Compromise

Vendor email compromise (VEC) functions as a spin on the traditional BEC attack, but rather than impersonating someone within the target’s organization, these attacks impersonate a trusted vendor (or use a compromised vendor account) to execute an invoice scam or other financial fraud. These attacks are highly successful because they exploit the trust and existing relationships between vendors and customers through social engineering.

VEC attacks often ask the recipient to pay an outstanding invoice or update their billing account details (to a fraudulent bank account) for their next payment. And because vendor conversations often involve invoices and payments, these attacks rarely raise red flags—unlike the CEO gift card requests that have become nearly synonymous with BEC.
Because VECs leverage known identities—whether through compromising a vendor’s account or spoofing a legitimate domain—they are often incredibly difficult to detect. They can fool even the most cybersecurity-savvy employees, which can quickly lead to lost revenue.

AI-generated BEC Attacks

Previously, many cybercriminals relied on templates to launch their BEC campaigns. Because of this, a large percentage of attacks share common indicators of compromise that the human eye can detect, as well as by traditional security software.

However, generative AI tools like ChatGPT let scammers craft unique, perfectly written, and highly targeted content instantly, making detection exponentially more difficult. Although Open AI has restricted the use of ChatGPT to create malicious content, cybercriminals have responded by finding creative ways around these controls by “jailbreaking” ChatGPT or even creating their own malicious platforms like FraudGPT and WormGPT.

Over the past year, we’ve seen numerous attacks that were likely generated by AI. While AI-generated content on its own does not directly indicate an email attack, it’s another signal that security teams can evaluate—alongside other patterns in email behavior—to detect an attack.

Email Thread Hijacking

Attackers increasingly employ email thread hijacking to insert themselves into an existing and legitimate email conversation. By impersonating one of the parties with a lookalike domain or even fabricating a completely new identity, the attacker will hijack the email thread to launch further phishing exploits, monitor emails, learn the organizational command chain, and target those who authorize financial transactions.

Thread hijacking attacks typically start with account compromise, allowing attackers access to the inbox to begin searching for ongoing conversations about payments or other sensitive information. They then hijack those threads by pasting the conversation into a new email (usually with a lookalike or typo-squatted domain) and carrying on the conversation with the original recipients.

Because the other recipients are familiar with the conversation and the threat actor replaces the victim, the message often gets overlooked as a continuation of the conversation, which can lead to devastating results. By simply reading and understanding the conversation history—and even automating this process through generative AI—attackers can seamlessly blend into the conversation

These attacks are especially dangerous and difficult to detect because there’s often no way for the average employee to realize that they are no longer communicating with their known colleague or vendor. We’ve seen recent instances where sophisticated attackers incorporate additional thread-hijacking tactics, like copying additional “colleagues” into the conversation. Those “colleagues” are actually their adversarial counterparts, using lookalike domains to increase legitimacy.

Attackers will likely always prefer BEC attacks as a first choice and will continue as a leading category in financial losses. Why? Because they work. Humans remain the biggest weakness in today’s organizations as they put immense amounts of trust in their digital communications. Cybercriminals know this and we can count on them continuing to employ novel techniques to exploit that trust—using social engineering tactics to log in, rather than hack in.

Stopping Modern Attacks Requires a Modern Approach to Cybersecurity

Traditional threat detection products, particularly those that rely on detecting known signatures like malware attachments and suspicious links, can only go so far in preventing this threat. Human behavior isn’t a static attack signal, and organizations will need dynamic products that can learn and adapt to user behaviors in their email environment.

Basing detection on user behavior signals can let teams detect anomalies indicative of attacks, no matter where or how they originate—whether through a spoofed vendor domain, a compromised executive account, an AI-generated email attack, or whatever technique hackers use next to launch BEC attacks.


Learn more about the ways attackers exploit AI for malicious purposes in our white paper, The Rise, Use, and Future of Malicious Al: A Hacker's Insight.

Get the Report
How BEC Attacks Are Evolving in the AI Era

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More