Business Email Compromise (BEC) is frequently mischaracterized as a straightforward email scam. In reality, it represents a sophisticated, multi-stage operation requiring significant patience, infrastructure, and an understanding of target organizations' internal processes. A single BEC campaign often involves gaining initial access to a business, extensive data gathering, meticulous analysis of mailbox contents, establishing reliable communication channels, securing payment infrastructure, precise timing, and overcoming the challenge of illicit money movement. **Flare** researchers recently analyzed underground forum discussions related to BEC over the past year, uncovering several key trends: * **AI-powered BEC** is gaining traction, significantly reducing the learning curve for threat actors and enhancing the 'quality' and believability of scams. * Threat actors primarily target **SaaS accounts**, particularly those associated with **Microsoft 365** (formerly **Office 365**). Corporate leadership and financial employees remain the most sought-after targets. * Specialized **call centers** are being utilized to apply pressure on targeted businesses, coercing them into finalizing fraudulent payments. * **Cash-out** remains the most significant bottleneck for BEC operations. Hackers face considerable difficulty in finding suitable business bank accounts or reliable cash-out partners. ## BEC Exceeds the Boundaries of Email BEC campaigns typically commence with unauthorized access to an organizational mailbox or a business SaaS account. Once inside, threat actors meticulously analyze the account, studying and mapping the organization's structure, with a particular focus on financial privileges, procurement processes, internal communications, vendor interactions, and invoices. After this intelligence is gathered, the threat actors initiate fraudulent requests.  This deep reconnaissance makes BEC attacks exceptionally difficult to detect. While a suspicious email from an unknown sender might raise red flags, a message originating from a compromised mailbox, embedded within an existing conversation, using real names, legitimate invoice references, and familiar terminology, is far harder for employees to question. Unsurprisingly, **Flare** data indicates that threat actors highly value access to email accounts belonging to finance department employees, as these provide critical insights into an organization's financial operations. Within these accounts, threat actors hunt for information related to accounts receivable, accounts payable, payrolls, invoices, overdue payments, and customer payment relationships.  ## Case Study: Hacker Discussions on BEC A forum thread titled “Business Email Compromise (BEC) – Experiences & Discussion,” initiated by a threat actor named **Bigjack** in January 2026, vividly illustrates the operational mechanics of these scams.  **Bigjack** detailed using remote access malware for initial access, subsequently compromising company mailboxes to send fraudulent invoices. Interestingly, the actor's questions focused less on the technical aspects of intrusion and more on the practical, experience-driven elements of fraud, such as: * Optimal timing for sending invoices. * Strategies to create a sense of urgency. * Methods for requesting large sums without arousing suspicion. * Which mailbox information to reuse for authenticity. * Types of proof to provide if questioned. * Common mistakes that could jeopardize the operation. The replies from other threat actors provided further insights into their BEC perspectives. One emphasized the critical importance of intercepting an existing invoice payment process. Another highlighted that identifying and defrauding the individual responsible for validating payment requests is paramount. The significance of the cash-out phase was also frequently stressed, with reliable collaboration and support deemed essential. This exchange clearly demonstrates the mindset of BEC threat actors: a deep understanding of the procurement process—including timing, pressure points, financial context, and suitable receiving accounts—is crucial for successful fraudulent invoice deployment. ## The Cash-Out Bottleneck Monetizing BEC is nearly impossible without a reliable receiving account. Threat actors often leverage **mule networks** and specialized cash-out services. This presents a significant challenge, as finding a trustworthy, operational, 'clean,' and relevant bank account to finalize the fraud is notoriously difficult. A threat actor named **neoresu** underscored that the destination bank account isn't the only concern; the individual validating the payment also requires careful handling. **Neoresu** offered services, including the use of a call center to boost success rates. Another actor, **Capita**, claimed six years of BEC activity in Europe (predominantly Germany, Finland, and Austria), describing the use of peer-to-peer money movement and call centers to pressure companies into expedited payments. Numerous posts also explicitly seek to recruit **money mules** for BEC schemes, specifically targeting business bank accounts and fast money transfers.  ## Support Call Centers to Apply Pressure Several underground discussions referenced calls as an integral part of the BEC process. In the **Bigjack** thread, the actor inquired about the optimal timing for a follow-up call after sending an invoice. Another participant claimed to operate a call center specifically designed to pressure companies into faster payments. This element is critical because BEC is not exclusively an email-based fraud. A well-timed follow-up call can significantly enhance the perceived legitimacy and urgency of a fraudulent request. For defenders, it is crucial to understand that a second communication channel, if introduced or controlled by the requester, should not be automatically treated as proof of authenticity. ## AI-Powered BEC Attacks Underground discussions reveal a growing adoption of AI to enhance the efficacy and scalability of BEC campaigns. In a post by **blackhatpakistan**, the threat actor detailed using AI to generate highly realistic business correspondence, mimic executive and employee writing styles, and craft context-aware payment requests or invoice fraud emails that seamlessly blend into legitimate communications. Rather than relying on generic templates, AI enables the creation of thousands of unique email variations, making these campaigns significantly harder for traditional content-based detection systems to identify. Dedicated underground tools are also being promoted for generating entire email conversation chains, allowing attackers to hijack existing business discussions and inject fraudulent payment requests with a higher degree of authenticity.