Article summary: Business email compromise has always been dangerous, but AI has removed the most reliable warning signs. Today’s BEC emails are indistinguishable from genuine correspondence because attackers build them using real information about your team, your vendors, and your workflows. The defence has shifted from spotting bad writing to enforcing process controls that work regardless of how convincing an email looks.
Your office manager gets an email from the firm’s owner, who is travelling at a client conference. The greeting uses her first name. The tone matches exactly how he writes. The message references a real supplier your company uses and asks for an urgent payment to be processed before end of day and the owner will explain the details when he’s back.
Your manager sends the transfer. The owner knows nothing about it. The email was never from them.
This is how AI-generated business email compromise (BEC) works in 2025. The old tells are gone.
Cybersecurity awareness training still matters, but the attack has evolved faster than most teams’ instincts.
What AI Has Changed About BEC
For years, the standard advice was to look for poor spelling, awkward phrasing, or a generic tone. Those signals worked because most fraudulent emails were written by non-native English speakers working from rough templates.
AI has erased that advantage almost entirely.
Generative AI tools let attackers use writing samples scraped from sources like LinkedIn or compromised inboxes to generate messages that match a person’s voice and style. The result reads like the real thing because it was modelled on the real thing.
By mid-2024, an estimated 40% of BEC phishing emails were AI-generated, according to VIPRE Security Group’s Email Threat Trends Report.
The FBI’s Internet Crime Complaint Center recorded over $2.7 billion in adjusted losses from BEC in 2024 alone.
According to the FBI’s IC3, BEC consistently ranks as one of the costliest forms of cybercrime globally.
Canadian businesses are not exempt. The Canadian Anti-Fraud Centre tracks millions in losses annually, and small and medium-sized businesses are frequently targeted precisely because they tend to have less formal financial controls.
How These Attacks Are Constructed
Public information is the raw material
Before an attacker writes a single word, they research. Your company website, LinkedIn profiles, social media posts, and news mentions all provide the context needed to build a believable message.
For smaller businesses, this research often takes minutes. A profile page naming your operations manager, a LinkedIn post announcing a new contract, and a cached invoice PDF can give an attacker everything they need. With this, they construct a fraud scenario that references real details your team will recognize. AI-generated BEC emails are increasingly designed to clear technical filters as well as human scrutiny.
The email that passes every test
AI-generated BEC emails are increasingly designed to clear technical filters as well as human scrutiny.
They contain no malicious links or attachments, which means they pass most email security scans. The sender address may be a slightly altered domain or a spoofed display name that shows a familiar name while masking a different address underneath.
In more sophisticated cases, attackers gain access to a real email account and send messages from it directly.
The RCMP’s guidance on BEC notes that spoofed addresses are often off by a single character. This is easy to miss when a message feels otherwise completely legitimate.
What the Warning Signs Look Like Now
Since AI neutralizes writing quality as a reliable indicator, the signals worth watching for have shifted. They are less about how the email reads and more about what it is asking you to do.
These are the patterns that should trigger a pause regardless of how convincing the message appears:
● A payment request or change to banking details arrives by email alone, with no prior phone or in-person discussion
● The request carries urgency
● The ask falls slightly outside normal process
● The sender’s display name looks familiar but the actual email address, when checked carefully, is slightly off
● A vendor emails to say their banking details have changed and asks you to update your payment records
Controls That Hold Up Against AI-Enhanced Fraud
The most effective defences against AI-generated BEC are not technical filters. They are process controls that apply regardless of how polished an email looks.
Verify payment changes out of band
Any request to change banking details or transfer funds should trigger a phone call to a number you already have on file.
Build dual-authorization into financial workflows
For wire transfers above a set threshold, require two people to approve the transaction independently.
This is especially important in small businesses where one person often handles both the request intake and the payment execution. Separating those roles eliminates the single point of failure that BEC attacks rely on.
Tighten email authentication settings
SPF, DKIM, and DMARC (email authentication protocols) reduce the number of convincing spoofed addresses that reach your inbox in the first place.
Most businesses running Microsoft 365 or Google Workspace can enable these through their domain settings.
This works well alongside phishing-resistant authentication controls that protect the accounts attackers would need to compromise to send BEC emails from inside your domain.
Train your team on the new signals
Awareness training needs to be updated to reflect how BEC looks today.
The message no longer starts with “Dear Sir/Madam.” It starts with your name, references something real, and arrives from an address that looks almost right.
Is Your Team Prepared for an Email That Looks Completely Legitimate?
The practical question for your business is whether your payment processes, email settings, and team habits would hold up against an email that reads perfectly, references a real project, and arrives from what looks like a familiar contact?
If you’d like to assess where your exposure is and tighten the controls that matter most, the team at Haxxess can help.
Call us at 705-222-8324 or contact us here to book a consultation.
Article FAQs
What is AI-generated business email compromise?
AI-generated BEC is a form of email fraud where attackers use generative AI tools to craft impersonation emails that closely match the writing style and tone of a real person.
How do I tell if an email is actually from the person it claims to be from?
Check the actual email address, not just the display name. For any financial or sensitive request, call the sender directly using a number you already have stored, not one provided in the email. If the request is unusual or urgent, that is reason enough to verify before acting.
Can email security filters catch AI-generated BEC emails?
Not reliably. AI-generated BEC emails typically contain no malicious links or attachments, which means they bypass most signature-based filters.
