Business Email Compromise (BEC) has been one of the costliest cybercrime categories for years. But a new generation of attacks is emerging—one fueled by artificial intelligence and unprecedented levels of personalization.
Traditional BEC attacks often relied on spoofed emails and urgent requests from seemingly trusted executives. Today’s attackers are taking things much further. Using generative AI, publicly available information, social media activity, corporate websites, and even data harvested from previous breaches, cybercriminals can craft messages that closely resemble legitimate business communications.
The result is a highly convincing attack that feels less like phishing and more like an authentic business conversation.
Personalization at Scale
Historically, highly targeted attacks required significant time and research. AI is changing that equation.
Attackers can now rapidly analyze organizational structures, identify key decision-makers, and generate customized emails tailored to specific departments or individuals. A finance employee might receive a payment request that references an actual vendor relationship. An HR manager could be targeted with a message related to a real hiring initiative. A company executive may receive what appears to be a legitimate request from a board member or business partner.
What once took hours of manual research can now be accomplished in minutes, allowing threat actors to scale sophisticated attacks across multiple organizations simultaneously.
Beyond Email: The Rise of Synthetic Trust
The threat is no longer limited to inboxes. AI-generated voice cloning and synthetic media are increasingly being incorporated into social engineering campaigns.
In several widely reported incidents, organizations have encountered attackers using AI-generated voices and deepfake video technology to impersonate executives during calls and virtual meetings. In one of the most notable cases, a finance employee at a multinational company was reportedly deceived into transferring approximately $25 million after participating in a video conference populated by AI-generated executive impersonations.
Why Traditional Security Controls Aren’t Enough
Many organizations have invested heavily in email filtering, spam detection, and employee awareness training. While these remain important, hyper-personalized attacks can often bypass defenses designed to identify generic phishing attempts.
Organizations should focus on strengthening verification processes around financial transactions, payroll changes, vendor management, and access requests. Multi-factor authentication, identity verification controls, and out-of-band approval workflows are becoming increasingly important safeguards against AI-enhanced fraud.
Just as critical is educating employees about how AI is changing the threat landscape. Workers who understand the capabilities of modern social engineering are better equipped to recognize suspicious requests, even when they appear legitimate.
Preparing for the Next Wave of BEC
The future of Business Email Compromise is not simply more phishing—it’s more believable phishing. As AI tools become more powerful and accessible, organizations should expect attackers to create increasingly personalized, context-aware fraud attempts.
The most effective defense will combine technology, process controls, and employee awareness. In an environment where attackers can convincingly imitate trusted individuals, organizations must place greater emphasis on verifying identities rather than trusting appearances. The companies that adapt now will be better positioned to withstand the next evolution of AI-driven fraud.
LibertyID Business Solutions offers customer information security protocols, information security training, third-party vendor management, and post-breach response services—helping businesses protect consumer data and meet FTC and state compliance requirements. The package also includes our gold-standard identity fraud restoration services for employees and their families.