Quiet, Clever, and Costly: The Rise of Business Email Compromise

How AI-driven attacks are quietly bypassing traditional defences, and what your business can do to stop them

Phishing in 2025 Isn’t Obvious Anymore

Gone are the days of badly written emails from distant princes asking for bank details. Today’s phishing is smart, subtle, and often completely invisible, at least until the money is gone.

Welcome to Business Email Compromise (BEC), where cybercriminals don’t break in with brute force, they walk in through the front door by impersonating your boss, your suppliers, or your finance team.

These emails look legitimate. The names check out. There’s no dodgy link. No spelling errors. Just a quiet request to “update bank details” or approve an invoice, and if it works, thousands (or more) can disappear instantly.

A Real UK Case: AI-Powered Impersonation

In early 2025, a Financial Times investigation uncovered a rise in AI-generated phishing emails targeting UK executives and staff. One London-based firm fell victim after a threat actor injected an AI-crafted message into a genuine thread between a client and their accounting team.

The message contained:

• No suspicious links
• No obvious errors
• A believable change to invoice payment details
• A signature, tone, and context that matched the original sender

The result? A quiet, unnoticed payment to a fraudulent account, costing the business tens of thousands of pounds.

Beazley’s CISO Kirsty Kelly told the FT:

“This is getting worse and it’s getting very personal… We’re seeing very targeted attacks that have scraped an immense amount of information about a person.”

How BEC Works in 2025

Attackers no longer spam thousands of people at once. They:

• Use AI to write natural-sounding, well-timed messages
• Mimic your company’s communication style and hierarchy
• Hide inside legitimate email threads
• Target finance teams, executives, and project managers
• Avoid links or attachments to bypass filters

Once they’re in, through a stolen token, compromised account, or a spoofed domain – they don’t act immediately. They wait, watch, and strike when your guard is down.

What Makes BEC So Dangerous?

• It exploits trust, not systems
• There are no ‘obvious’ red flags
•  It leads directly to financial loss
• It targets your people

How to Spot and Prevent Business Email Compromise

• Pause and scrutinise: If something feels urgent or off, take a moment. Most successful BEC attacks rely on someone feeling rushed or pressured.
• Verify outside of email: If someone asks to change payment details, pick up the phone and verify using a known number — not one provided in the email.
• Look carefully at domains: Attackers often spoof domains using small variations. For example, @firm.co.uk becomes @flrm.co.uk.
• Don’t delete suspicious email: Forward them to your IT team, who can ensure that no damage has been done, investigate and make sure it doesn’t happen to someone else.

How Everything Tech Protects You from BEC

As a managed service provider trusted by hundreds of UK businesses, we help you stay a step ahead with:

• Advanced Email Threat Protection: We provide AI-powered solutions that scan for behavioural anomalies, not just bad links, to catch subtle impersonation attempts.
• Ongoing Phishing Simulations: We help you run tailored training campaigns to help your staff recognise the latest tactics and learn to verify, not just trust.
• Email Domain Hardening (SPF, DKIM, DMARC): We can help you to configure and manage the technical standards that protect your domain from being spoofed, and help your emails land in the right inbox.
• Policy and Process Reviews: We help you implement simple, practical safeguards, like role-based access, to make social engineering much harder.
• Fast Incident Response: If something suspicious happens, we’re there. From investigation to recovery, our team acts quickly to limit damage and prevent recurrence.

Final Thoughts

Business Email Compromise is growing because it works. It doesn’t need malware or brute force, just one person to trust the wrong message at the wrong time. In a world where emails can be written by AI and impersonate anyone, trust must be earned, not assumed.

At Everything Tech, we’re here to help you build that digital resilience, with smart tools, simple policies, and human-friendly training that keeps your team alert and your data safe.

Need a phishing simulation, email security review, or expert advice?
Email us at [email protected] or speak to your account manager.