Guide · AI & Payment Fraud

AI-Enhanced Business Email Compromise: How BEC 2.0 Works and How to Spot It (2026)

July 2026 AP Clerks Office Managers Small Business 10 min read

If you've been told to look for typos and bad grammar in suspicious emails — that advice is no longer reliable. AI voice cloning, deepfake video calls, and AI-generated phishing emails have removed the most reliable detection signals that fraud awareness training has relied on for years. The grammatical errors are gone. The awkward phrasing is gone. In some cases, the phone call you made to verify is now part of the attack. This guide explains what changed, what BEC 2.0 looks like in practice, and which defenses still work when AI has made content-based detection obsolete.

Before AI After AI
Poor grammar was a warning sign Grammar is often flawless and mirrors the real person's style
Generic, impersonal messages Hyper-personalized, references real projects and relationships
Obvious phishing attempts Convincing, contextually accurate business requests
"Call to verify" defeated the attack Voice cloning can make the callback sound like the real person
Video call = safe verification Real-time deepfakes can impersonate executives on live video
Defense: spot bad writing Defense: verify payment requests through independent processes
40%
of BEC attacks now use AI-generated voice, video, or text — up from under 5% in 2023 Source: Digital Applied, 2026
$4.1M
average loss per AI-augmented BEC incident vs $1.3M for traditional phishing Source: Digital Applied, 2026
$20
cost to clone a voice from 3 seconds of audio on dark web markets in 2026 Source: Digital Applied, 2026

What Changed: Traditional BEC vs BEC 2.0

Traditional BEC relied on email tricks — lookalike domains, spoofed display names, social engineering language. Those are still used, but the addition of AI tools has fundamentally changed the attack surface in three ways.

How BEC evolved
📧
Traditional BEC
Lookalike domains, spoofed emails, generic social engineering
🤖
Generative AI adopted by attackers
AI writes perfect emails, researches targets, automates personalization
🎙️
Voice cloning & deepfakes
CEO voice cloned from 3 seconds of audio, real-time video deepfakes
⚠️
Content-based detection fails
Grammar checks, tone analysis, and "call to verify" no longer reliable
Process-based verification required
Code words, independent callbacks, routing number checks, dual auth
✉️
AI-generated phishing text

AI tools generate grammatically perfect, contextually accurate emails tailored to a specific recipient's communication style. The old advice — "look for typos and awkward phrasing" — no longer applies. IBM's 2025 data showed 16% of breaches involved AI-generated phishing content, a figure rising sharply in 2026.

🎙️
Voice cloning

Dark web tools can clone a voice from 3 seconds of audio for under $20. Recordings are available from earnings calls, YouTube, LinkedIn, voicemail greetings. A fraudster can now make a phone call that sounds exactly like your CEO — defeating the most common verification step.

📹
Deepfake video calls

Real-time video deepfakes can replace a caller's appearance with a target's face during a live video call. In 2024, a finance employee wired $25 million after a video conference where every other participant was an AI deepfake of real company executives. The employee had no reason to doubt the call.

🤖
Automated reconnaissance

AI tools can scrape LinkedIn, company websites, public filings, and social media to build detailed profiles of an organization's payment workflows, vendor relationships, and employee roles — before the first fraudulent message is sent. The research that used to take days now takes minutes.

💬
Multi-channel attacks

BEC 2.0 attacks coordinate across channels — an email arrives, followed by a WhatsApp message, then a voice call, then a callback from a cloned number. Each channel reinforces the others. The cumulative effect is a level of apparent legitimacy that single-channel attacks can't achieve.

🔄
Real-time conversation hijacking

With access to a compromised mailbox, AI tools generate contextually accurate responses within ongoing threads — continuing an existing conversation in the victim's writing style. The attacker never has to guess what to say; the AI produces it from the existing thread context.

Why the Old Detection Advice No Longer Works

Most fraud awareness training teaches employees to spot these signals in suspicious emails. In 2026, AI has neutralized most of them:

Old detection signal Why it no longer works What still works
Typos and grammatical errors AI generates perfect grammar and mirrors the target's writing style Verify the request by a separate channel — the writing quality tells you nothing
Generic, impersonal tone AI reconnaissance produces highly personalized messages referencing real projects, relationships, and context Process controls — dual auth, banking change policies — not content detection
Calling to verify Voice cloning can make the callback sound like the real person if the number is attacker-controlled Call a number from your own records — never a number provided in the request
Video call verification Real-time deepfake video can replace a caller's appearance during a live call Pre-agreed code words that AI cannot know regardless of how convincing the voice or video is
Suspicious links or attachments BEC 2.0 often contains no links or attachments — it's purely social engineering toward a payment action Treat any payment request with urgency or secrecy as high-risk regardless of content
Unfamiliar sender Compromised real accounts send from legitimate addresses; VEC attacks use real vendor email accounts Check routing numbers and banking details against your records regardless of who the email appears to be from
🔍 Fraud Analyst Perspective

The most dangerous shift isn't any single AI tool — it's the combination. A fraudster who sends a well-written email, follows up with a voice-cloned phone call, and then joins a video call using a deepfake of your CFO has eliminated the three most common verification steps simultaneously. The only defenses that survive this are ones that don't rely on recognizing the attacker's content or identity — they rely on processes the attacker cannot know or replicate.

6 AI-Enhanced BEC Attack Patterns

These are the specific ways AI is being used in BEC attacks targeting small businesses in 2026. Each builds on a traditional BEC pattern but adds an AI layer that defeats the usual defense.

1
AI-written CEO fraud email + voice-clone callback
Critical

An AI-generated email impersonating your CEO requests an urgent wire transfer. When the recipient tries to verify by calling, the callback goes to an attacker-controlled number answered with a cloned voice that sounds exactly like the CEO. The standard verification step — "call to confirm" — becomes part of the attack.

What's new vs traditional BEC
Traditional: Email with slight domain difference, generic wording. Defense: call to verify.
AI-enhanced: Perfect email from lookalike domain, cloned voice on callback. Defense: "call to verify" no longer sufficient.
Defense → Establish a verbal code word with your CEO and all executives — a pre-agreed phrase they must say before any payment request is acted on. AI can clone the voice but cannot know the code word. Use it every time, no exceptions.
2
Deepfake video conference payment request
Critical

An employee receives a calendar invite for an urgent video call. On the call, what appears to be the CFO and other executives instructs them to process an immediate wire transfer. Every other participant on the call is a real-time deepfake. This is the attack that cost a multinational company $25 million in 2024.

Red flags even in a deepfake call
Unusual meeting setup without prior communication · Request made entirely on the call with no email trail · Payment details delivered verbally only · Request to act before the call ends
Defense → No payment authorization should happen on a video call alone. Any wire request from a video call must go through the same out-of-band verification process as an email request — regardless of how convincing the participants look. Policy beats deepfakes.
3
Hyper-personalized vendor impersonation
Critical

AI reconnaissance scrapes your company's LinkedIn, website, news mentions, and public filings to identify your vendors, key contacts, and payment workflows. The resulting email impersonates a real vendor with accurate details — referencing real projects, real contact names, and the correct payment history — with only the banking details changed.

What makes this harder to catch
The email references a real invoice from three months ago · It correctly names the person who originally approved that vendor · The wording matches the real vendor's communication style
The routing number is different from your vendor file
Defense → Compare routing and account numbers against your vendor file on every invoice, regardless of how accurate the other details are. AI can research your vendor relationships; it cannot change what routing number is already in your records.
4
AI-generated thread hijacking
High

An attacker gains access to a real employee's email account. Rather than sending new messages, AI tools analyze the existing email thread context and generate responses that continue the conversation naturally — inserting a fraudulent payment request mid-thread in a way that reads as a seamless continuation of a real discussion.

Why this is hard to catch
The message comes from a real email account · It references real prior conversation content accurately · The writing style matches the real person's previous messages in the thread
Defense → Any payment request that arrives mid-thread — even from a known internal account — requires out-of-band verification if the request is sudden or out of character. Especially watch for requests that appear in threads not previously related to payments.
5
Multi-channel reinforcement attack
High

The attack arrives across multiple channels simultaneously — an email, followed by a WhatsApp message from what appears to be the same person, then a voice call, then a follow-up text. Each channel independently appears legitimate and collectively they reinforce each other's credibility. The target's instinct that "this must be real because it's coming from everywhere" is the exploit.

The sequence
Email → WhatsApp from "same person" → Voice call → Follow-up text asking if you got the email
Defense → Multiple simultaneous channel contacts around the same unusual request is itself a red flag — not a legitimacy signal. Legitimate urgent business requests don't typically arrive across four channels at once. Slow down specifically because of the volume of contact.
6
Payroll diversion via AI-generated HR email
High

AI generates an email impersonating an employee requesting a direct deposit change — written in the employee's communication style, referencing plausible personal circumstances (new bank account, refinancing, switching banks) with accurate personal details drawn from LinkedIn and public records. The request is indistinguishable from a legitimate update.

What makes AI versions harder to catch
The email uses the employee's actual writing style · It references their correct job title, department, and manager's name · The reason given is specific and plausible, not generic
Defense → All direct deposit changes require in-person or video verification where you initiate the call — not email alone, regardless of how accurate or well-written the request is. The quality of the email tells you nothing about its legitimacy in 2026.
Received a suspicious payment request? Check the sender domain, routing number, and email text through PaySentinel before acting.
Check it now →

What Still Works: Process-Based Defenses

When content-based detection fails — and against AI-enhanced BEC, it largely does — the defenses that remain are process-based. These work because they don't depend on recognizing fraudulent content; they depend on procedures the attacker cannot replicate or know in advance.

The one defense AI cannot beat

A pre-agreed code word, delivered in a call you initiate to a known number.

AI can clone a voice, generate a deepfake video, write a perfect email, and research your vendor relationships. It cannot know a secret established between you and your CEO in person last Tuesday. This is the one verification step that remains AI-proof — which is exactly why it should be your highest-priority control to implement.

🔍 Fraud Analyst Perspective

In fraud investigations, the cases involving AI-enhanced BEC share a consistent pattern: the victim did everything right by the old rules. They checked the email, it looked legitimate. They called back — and heard the right voice. They joined a video call — and saw the right face. The failure wasn't human error in the traditional sense. It was that the rules changed and nobody told them. The shift from content-based to process-based verification isn't just good advice — it's the only thing that actually works now. A code word costs nothing to implement and defeats voice cloning entirely. That's an asymmetric defense worth having.

Documented AI-Enhanced BEC Cases

These are publicly reported incidents involving AI tools in BEC and payment fraud attacks.

$25M
Loss
Multinational company — Deepfake video conference (2024)
A finance employee received an invitation to a video conference call. Every other participant on the call — including the CFO and other executives — was a real-time AI deepfake of actual company personnel. The employee was convinced the meeting was legitimate and wired $25 million to attacker-controlled accounts. This case, widely reported in early 2024, was the first major documented use of real-time deepfake video in a corporate fraud attack. The company was based in Hong Kong; the fraud was reported to Hong Kong police.
$243K
Loss
UK energy firm — AI voice clone of CEO (2019, first documented case)
A CEO at a UK energy company received a phone call from what he believed was the parent company's CEO in Germany, instructing him to wire €220,000 to a Hungarian supplier within the hour. The voice was described as having a slight German accent and matched the executive's speaking patterns. The transfer was made. The funds were forwarded twice before disappearing. This was the first widely documented use of AI voice cloning in a business fraud attack — reported by the Wall Street Journal in 2019. The technology has become dramatically cheaper and more accessible since then.
Scale
Trend
Dark web voice cloning tools — commoditization in 2026
By early 2026, dark web markets offered voice cloning tools capable of generating a convincing voice replica from 3 seconds of audio for under $20. The barrier that previously made voice cloning attacks rare — the need for sophisticated technology and significant audio samples — has collapsed entirely. AFP's 2026 survey identified AI-enabled fraud and deepfake technologies as a distinct and growing area of concern for finance and treasury teams.

Frequently Asked Questions

What is AI-enhanced business email compromise?

AI-enhanced BEC uses artificial intelligence tools — voice cloning, deepfake video, and AI-generated text — to make fraud attempts more convincing than traditional email spoofing. Instead of relying on a slightly-off email domain, attackers can now clone a CEO's voice from a few seconds of audio, generate a real-time deepfake video call, or produce phishing emails with perfect grammar tailored to a specific recipient's communication style.

Can AI write convincing phishing emails?

Yes — and this is one of the most significant shifts in the BEC threat landscape. Modern AI tools can generate phishing emails with perfect grammar, natural tone, and accurate personal details drawn from LinkedIn, company websites, and public filings. The result reads indistinguishably from a legitimate business email.

IBM's 2025 security research found that AI-generated phishing content appeared in 16% of reported breaches — a figure that has continued rising through 2026. The implication is that grammar and writing quality are no longer reliable fraud indicators. IBM X-Force Threat Intelligence

Can AI imitate my CEO's writing style?

Yes. AI tools can analyze a person's writing style from emails, LinkedIn posts, press releases, and public statements, then generate new messages that closely mirror their tone, vocabulary, and communication patterns. Combined with a compromised or spoofed email account, this makes impersonation emails significantly harder to identify as fraudulent.

This is why the standard advice — "you'll know it's fake because it doesn't sound like them" — can no longer be relied upon as a primary defense.

Is grammar still a useful warning sign?

No longer reliably. Before AI-generated phishing became widespread, poor grammar and awkward phrasing were among the most consistent signals of a fraudulent email. AI tools have largely eliminated this signal — the emails are grammatically perfect and contextually accurate.

CISA's guidance on BEC specifically notes that sophisticated attacks no longer rely on obvious linguistic errors and recommends shifting focus to verification processes rather than content analysis. CISA BEC guidance →

How do businesses defend against AI-assisted BEC?

The defenses that work are process-based, not content-based. Establish a verbal code word with executives that must be provided before any payment authorization — AI can clone a voice but cannot know a pre-agreed secret. Require all payment changes to go through a documented out-of-band verification process using a number from your existing records. Dual authorization above a payment threshold means one compromised verification point cannot authorize a large payment alone.

The FBI IC3 2024 annual report specifically highlights process controls — dual authorization, callback verification using independently sourced numbers, and payment verification workflows — as the most effective defenses against BEC at all levels of AI sophistication. FBI IC3 Annual Report →

From the guide to the tool

AI has made the content of fraudulent emails unreliable as a detection signal. What PaySentinel checks — routing numbers against your vendor history, domain typosquatting, BEC language patterns, structuring amounts — are signals that remain useful even when the email itself reads perfectly. It's a structured second opinion before money leaves your business, on the things AI can't fake.

Check a suspicious payment request

Paste in the vendor, routing number, or email — PaySentinel checks for the signals AI can't remove and returns a risk score in under a minute. Free to start.

Run a free analysis →