Business Email Compromise caused $2.9 billion in losses in 2024. AI now generates phishing emails with perfect grammar, accurate company context, and a tone that matches the person it is impersonating. The old advice about checking for spelling mistakes stopped being useful the moment these tools became widely available.

What changed

Old phishing was easy to spot. The email address looked wrong. The grammar was bad. The request was vague. Training employees to check those signals worked reasonably well.

Modern phishing is different in three ways:

Perfect language.AI generates fluent, contextually appropriate email in any language. An employee receiving an email from "the CEO" asking for an urgent wire transfer has no language-based cue that it is fake. The text is indistinguishable from something a real person wrote.

Targeted context.Attackers scrape LinkedIn, company websites, press releases, and social media to understand who works where, their reporting relationships, and what projects are active. A phishing email that references your actual current project, your real manager's name, and the correct internal terminology is far more convincing than a generic request.

Deepfake audio and video. BEC attacks now include phone calls and voice messages from AI-generated audio that sounds like your CEO. Some attacks use real-time audio deepfakes in live calls. The employee hears a voice they recognize asking them to transfer money or share credentials. This is not theoretical: documented cases exist where companies transferred money after a deepfake call from someone impersonating the CFO.

The most dangerous attack patterns

CEO fraud / BEC:An email from the CEO's lookalike domain (your-company-name.co instead of your-company-name.com) asks for an urgent wire transfer. The request bypasses normal approval processes because of the perceived authority.

Invoice fraud:An attacker compromises a vendor's email account, waits, and at the moment an invoice is due, sends a modified version with a changed bank account number. The email comes from a legitimate domain. The context is real. The only difference is the account number.

IT support impersonation:An email from "IT support" asks you to click a link to reset your credentials or install an update. The link looks legitimate. The domain uses a lookalike URL.

What to actually do

Since you cannot train employees to spot AI-generated email by content alone, the defenses need to be process-based and technical, not detection-based.

Process: Verify wire transfers by phone

Any request to transfer money, change a bank account number, or approve a payment above a certain threshold must be verbally confirmed using a phone number you already have on file, not one provided in the email. This single policy stops CEO fraud and invoice fraud. No email verification, no Slack message verification: a phone call to a known number.

Technical: Set up DMARC, DKIM, and SPF

These email authentication protocols tell receiving mail servers whether an email claiming to come from your domain actually originated from your authorized servers. DMARC enforcement (policy: reject) means an attacker cannot send email that appears to come from your domain.

Check your current status at mxtoolbox.com/dmarc.aspx. If you do not have DMARC set to p=reject, anyone can send email that appears to come from your domain. Your clients can be targeted with invoices that look like they are from you.

Technical: Multi-factor authentication on email

The most common way invoice fraud works is through a compromised vendor email account. The attacker gets into the vendor's email (often through a stolen password), watches for billing conversations, and injects a modified invoice.

MFA on your email account means a stolen password alone cannot compromise it. Use app-based TOTP (Google Authenticator, Authy) rather than SMS MFA. SIM swapping attacks can bypass SMS MFA.

Training: Real phishing examples, not policy documents

Employees cannot learn to spot phishing from a bullet-point list. Show them real examples, including modern AI-generated ones. Walk them through how to verify a suspicious request. Make the verification process simple enough that they will actually do it rather than bypass it to save time.

The most important message: if something feels off, verify it. A 5-minute verification call is always worth it. Nobody will be annoyed that you double-checked.