How AI is changing BEC and phishing attacks

A photograph of a keyboard, laptop, monitor, and tablet next to each other on a desk.

What do you do if you receive an odd email from your boss? Do you hit reply, perform the task, or call your boss to verify the email came from them?

Cybercriminals (also known as "bad actors") are now using AI to create convincing phishing emails. One kind of phishing attack disguises itself as an email or text from someone within your organization. This is called business email compromise (BEC).

When an AI program writes phishing emails, they're nearly indistinguishable from authentic messages from team members. So AI is changing the phishing game, but how? And how can you combat more intelligent BEC attacks?

For over 25 years, WEBIT Services has helped hundreds of clients build effective IT strategies and security practices.

By reading this article, you will learn three ways AI alters BEC and phishing attacks and 5 strategies you can employ to fight back.

3 ways AI is changing business email compromise and phishing attacks

1. It writes grammatically perfect emails

Once upon a time, you could easily spot a phishing email based on its poor grammar and outlandish requests, but this is not the case with AI-written BEC and phishing messages.

Now, an AI program can create a flawless and convincing email. The grammar, spelling, and syntax are perfect in AI-generated messages. You can no longer spot a phishing email based on subpar writing and grammar.

2. It can learn your company structure, events, and contacts

AI can learn everything about you and your company in moments by observing your social media profiles and websites.

We share so much online to promote ourselves, our company, and our events. Friends and connections on social media profiles give AI programs plenty of educational materials.

Once, cybercriminals had to hack into a company's network to learn about employees. Now, it's all right there online. Just by scanning social media, an AI program can learn who you work for, what you do, and who your coworkers are in moments.

For example, you may publicly post about an organization you support and tag several associates. An AI program can see this post and construct a related email, saying it's from one of your tagged coworkers. The cybercriminal is betting that you won't take the extra step to verify that the email is really from your teammate.

3. It can write in your voice

AI programs can learn your writing voice in moments using online posts and intercepted emails. This allows them to create emails that sound exactly like you.

Emails travel between servers to arrive at their destinations. If cybercriminals have hacked an email server, they can read any messages that come in contact with that server. Encrypting emails is the best way to protect your messages. Otherwise, cybercriminals can glean information or feed these emails to AI programs.

But even if your emails aren't intercepted, AI programs can learn your unique writing voice through social media posts, blog posts, and anywhere else you've left an online footprint.

Not only are new phishing and BEC emails grammatically flawless, but now they sound like people you actually correspond with.

So, for instance, a teammate always signs emails, "Most sincerely yours," and like inserting smiley emojis. If an AI program creates a BEC attack posing as this teammate, the message will have plenty of smiley faces and end with "Most sincerely yours." You likely won't know that a machine, not your coworker, wrote the email.

5 ways to combat business email compromise and phishing attacks

As cybercrime evolves, so does cybersecurity. As AI programs become smarter, security experts can create and utilize more intelligent tools to battle cyberattacks. Here are 5 strategies you can use to combat BEC and phishing attacks.

1. Use email filtering tools

Make sure your email system is armed with a filtering tool. The filter will catch many spam and phishing emails, so they never enter your inbox. Because fewer harmful emails get through, your organization's chances of being phished decrease.

Filtering tools can also identify emails that come from outside your company. Often, they designate external emails with a banner so readers may pay closer attention to the quality of these messages.

The recipient can report the email for investigation if an external message seems suspicious.

2. Use phishing reporting tools

Email security platforms like Ironscales allow you to add a phishing report button. This tool can be invaluable in the fight against phishing and BEC.

If someone receives a suspicious email, they report it. AI and humans examine the email and then send a report with one of three results:

  1. The email was spam.
  2. The email was authentic.
  3. The email was a phishing attempt.

If the email is found to be spam or phishing, the sender is blocked, and all future emails are removed from inboxes. This helps prevent future attacks from that sender, reducing your chances of a successful phishing or BEC attack.

Reporting emails also helps the security AI program to learn and bolster its defenses. For example, as you report more emails, the AI identifies more harmful sources, and more dangerous emails are blocked automatically.

3. Carefully inspect emails for details like altered domains

Cybercriminals will create email domains similar to a target organization to send a convincing BEC attack. Their artificial email addresses will look convincing at a glance, but a closer look will reveal differences.

When you receive an email, check to see that the email address and domain are what they should be. For example, is a period out of place? Was a letter replaced with a number?

Suppose you're expecting a message from a coworker with the email address Instead, however, you receive an email from  Did you notice that the I was replaced with a 1?

If a message seems odd or unexpected, closely examine the sender's address before hitting reply, clicking links, or opening attachments. An incorrect sender address could indicate a BEC or phishing attack.

4. Have regular phishing tests

It's not enough to simply know about BEC and phishing attacks. Your organization must also practice identifying and reporting emails regularly. You can accomplish this through random phishing tests—artificial phishing emails constructed by your IT provider or email security platform.

Employees will receive a variety of fake phishing emails. Employees who report it pass the test. However, if they click a link or attachment, they will receive an alert that this was a phishing test and they failed. Failed employees must participate in cybersecurity training.

These tests sharpen employees and indicate your workforce's cybersecurity practices. As more training and tests occur, phishing test failures should decrease. It also gets your employees in the habit of using the phishing report tool.

5. Call or message (but don't email) the sender

When you receive a suspicious email or text, call or message the sender to verify that they sent it. If they did not, you just avoided a phishing attempt and protected your data.

Don't reply directly to the suspicious message until you confirm that this came from your friend or teammate. If you're responding to a BEC or phishing email, you're opening the door to a cyberattack.

For example, you receive a seemingly authentic email from the head of accounting asking you to confirm your social security number. The email address looks correct, and it reads like an official accounting message. But the information it asks for is sensitive and confidential. Should you trust that this came from accounting?

No, you should not. Instead, call the sender or send them a ping. "Hey there, I just received an email asking for my social security number. Did you send this?"

If the head of accounting confirms that they sent the message, you may reply. If they did not, report the phishing attempt immediately.

Taking the extra few minutes to confirm the message's source can save your organization from a cyberattack, protecting confidential information and your system.

Next steps for addressing AI-assisted attacks

As our machines and programming advance, so do cyberattacks and security responses. AI programs can now write convincing fake emails used in BEC and phishing attacks.

AI programs will write emails that:

  1. Are grammatically perfect.
  2. Show knowledge about your organization, contacts, and events.
  3. Sound like you or people you know wrote them.

You can employ specific security tools and strategies to protect your organization from these advanced attacks. These tools and strategies include:

  1. Email filtering
  2. Phishing reporting
  3. Inspecting email domains
  4. Regular phishing testing
  5. Contacting the sender to verify

If you are unsure of your organization's email security tools or practices, talk to your IT provider or internal IT team.

If you don't currently have security tools or practices, your IT provider or team can help you find ones that will best meet your company's security needs.

Suppose your IT provider or team does not know what you're using, does not encourage use, or refuses to employ proper security practices outlined by a security framework. In that case, it may be time to reconsider your partnership.

WEBIT Services has established cybersecurity practices rooted in frameworks for hundreds of clients. In addition, it is passionate about education and effective cybersecurity.

If you are looking for a new provider or have questions about cybersecurity, schedule a free 30-minute consultation to see how WEBIT can help.

If you are not ready to make a commitment but want to learn more about cybersecurity and email security, we recommend the following articles: