The Con Doesn't Look Like a Con Anymore

Forget the Nigerian prince. Forget the broken English and the lottery prize.

Business Email Compromise — BEC — is the fraud scheme that's quietly draining company bank accounts right now. No malware. No suspicious links. Just an email that looks exactly like one your CFO, your vendor, or your accountant would send.

And AI just made it nearly impossible to detect.

The Numbers Are Ugly

The FBI reported more than $20 billion in total internet crime losses in 2025, according to The Epoch Times via ZeroHedge. BEC ranked as the second-largest attack method. In 2023 alone, BEC caused over $2.7 billion in reported losses, according to Abnormal AI's analysis of the FBI's Internet Crime Report. The 2024 numbers, not yet fully released, are expected to be worse.

Small businesses are the primary targets. They have money to steal and rarely have dedicated cybersecurity staff watching for this.

How the Attack Works

A criminal impersonates someone you already trust — your CEO, your longest-standing vendor, your HR department. They request a wire transfer. They send a fake invoice. They ask you to update banking details for a supplier.

The money moves. Then it's gone.

Wire transfers are rarely reversible once they leave the domestic banking system, according to Epoch Times reporting. By the time anyone flags the fraud, the window to recover anything has already closed.

According to Byezzy Tech, one of the fastest-growing tactics is conversation hijacking: an attacker gains access to a real email thread, studies the actual back-and-forth, then inserts a fraudulent message mid-conversation. To the employee reading it, it looks completely real — because it IS embedded in a real conversation.

AI Turned a Hard Problem Into an Impossible One

For years, the standard advice was simple: watch for bad grammar, awkward phrasing, mismatched sender names. That worked because most BEC attackers were operating overseas with limited English skills.

That advice is now worthless.

According to VIPRE Security Group's Q2 2024 Email Threat Trends Report, 40% of BEC emails are now AI-generated. Nearly half of all detected spam emails are BEC attempts. VIPRE's Chief Product and Technology Officer Usman Choudhary stated directly that entities without advanced detection measures face "double the risk compared to 12 months ago."

AI tools used by criminals can now scrape LinkedIn profiles, public business filings, and company websites to map your internal structure and vendor relationships, according to Epoch Times reporting. They can clone the writing style of a specific executive. They can reference real invoice numbers, real project names, and real business history.

The result is an email that reads exactly like something your CFO wrote on a Tuesday afternoon.

Abnormal AI's survey found that 91% of security professionals reported experiencing AI-enabled cyberattacks in the previous six months. That's the whole industry dealing with this.

Visa's Assessment

Visa's Spring 2026 Biannual Threats Report, cited by ZDNET, calls AI-accelerated scams "the fastest growing source of consumer harm." Visa notes that fraud is shifting away from credential theft toward social engineering — meaning criminals are targeting human judgment instead of software vulnerabilities.

If you authorize the transaction — even under false pretenses — you bear the financial cost. The bank often won't cover it. Insurance may not either. The responsibility lands on the person who clicked send.

What Mainstream Coverage Is Getting Wrong

Most tech media frames this as a cybersecurity story for large enterprises. It isn't. Small businesses — without IT departments, without dedicated security budgets, without time to verify every email — are the primary victims.

Coverage also tends to focus on the technical sophistication of the attacks without stating the uncomfortable truth plainly: the old verification habits are dead. Reading carefully doesn't work anymore. Checking for typos doesn't work anymore. If you haven't changed your internal payment verification process, you are exposed right now.

The press also underplays the AI-on-defense side. Platforms like Abnormal AI are deploying machine learning that maps normal communication patterns — who emails whom, what tone they use, what time of day — and flags anomalies in real time. Rule-based filters, the kind most small businesses use, were never built for this.

Five Free Things You Can Do Today

The Epoch Times piece, sourced by ZeroHedge, outlines five cost-free verification steps. The core principle: never change banking details or authorize a wire transfer based on email alone. Always call the person directly — using a phone number you already have on file, NOT one provided in the email.

Verify. Pick up the phone. Every single time.

Bottom Line

Criminals are using AI to commit fraud at industrial scale. The FBI has the loss numbers. Visa is sounding the alarm. Security firms are watching 40% of BEC emails roll in pre-written by machine.

Your employees can't read their way out of this. Your spam filter can't catch it. Once that wire transfer goes through, you're not getting the money back.