The tell-tale sign of a phishing email used to be the grammar. Awkward phrasing, misaligned tone, a CFO who suddenly writes like a non-native speaker, these were the signals security awareness training taught employees to catch.
Those signals are gone.
Generative AI has closed the stylistic gap between a real executive’s writing and a synthetic impersonation. Today, 40% of business email compromise (BEC) phishing emails are AI-generated, producing personalized, contextually accurate messages that match the target executive’s known vocabulary, communication cadence, and organizational context. The click-through rate on AI-crafted lures is 450% higher than on traditional phishing emails. And the financial sector is the primary target.
For CISOs at banks, insurers, and fintech firms, this is not an incremental escalation of a known threat. It is a qualitative change in what BEC actually is.
What Is AI-Powered Business Email Compromise?
Business email compromise (BEC) is a class of fraud where attackers impersonate executives, vendors, or business partners to manipulate employees into transferring funds, divulging credentials, or executing unauthorized transactions. Traditional BEC relied on social engineering and domain spoofing. AI-powered BEC adds stylometric matching, voice cloning, real-time context harvesting from LinkedIn and corporate websites, and automated multi-channel targeting.
The FBI IC3 reported that BEC caused more than $2.7 billion in adjusted losses in 2024 and accounts for 73% of all reported cyber incidents.
How the AI-BEC Threat Has Evolved in 2026
Adversary-in-the-Middle (AiTM) Phishing
In January 2026, Microsoft documented a multi-stage AiTM phishing and BEC campaign targeting the energy sector via SharePoint. Rather than simply spoofing an email, the attacker positioned themselves between the victim and a legitimate Microsoft authentication flow, intercepting session tokens in real time.
Dual-Channel BEC Attacks
The dominant 2026 BEC pattern is the dual-channel attack: simultaneous multi-vector contact where the target receives a spoofed email from an “executive” and a concurrent phone call or SMS confirming the request. The second channel creates urgency and authenticity reinforcement that significantly increases compliance rates.
Callback Phishing
Callback phishing, where a phishing email instructs the target to call a fraudulent number staffed by social engineers posing as IT or finance support, more than doubled in popularity in 2025 and continues accelerating into 2026.
What Happens When Financial Security Teams Don’t Address This
According to 2026 threat intelligence, 59% of financial services organizations hit by ransomware had their data successfully encrypted. The median ransom demand in financial services reached $3 million.
The Financial Sector’s Structural Vulnerability
| Attack Vector | Why Financial Sector Is Exposed |
| Executive impersonation | Finance employees are trained to prioritize urgent requests from leadership |
| Vendor impersonation | High transaction volumes create normalcy for wire transfer requests |
| AiTM MFA bypass | Widespread MFA adoption has driven attackers to session hijacking rather than credential theft |
| AI style matching | Executives’ communication styles are well-documented through public statements and filings |
| Dual-channel attacks | Second communication channel creates false authentication signal |
How Peris.ai Defends Financial Institutions Against AI-BEC
BrahmaFusion: Behavioral Analytics and Anomalous Communication Detection
BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, applies behavioral analytics to communication patterns across email, endpoint, and identity systems. While content filtering can be defeated by stylistically accurate AI-generated text, behavioral analytics focuses on what is unusual about how and when a communication occurs: an executive sending a wire transfer request from an unusual IP, at an unusual hour, to a new payee, without the corresponding approval workflow.
A FeedLoop customer using BrahmaFusion’s automation reported a 70% reduction in response time for anomalous communication incidents.
INDRA CTI: Tracking BEC Campaigns Targeting Financial Institutions
INDRA CTI provides real-time intelligence on threat actor campaigns, including BEC operations targeting specific industries and geographies. When a threat actor group begins targeting the Indonesian banking sector with AiTM infrastructure, INDRA CTI surfaces the relevant indicators before the first targeted email reaches your inbox.
Use Case: Catching an AI-BEC Attack Before the Wire Transfers
A regional bank’s CFO receives what appears to be an email from the CEO requesting an urgent $4.2M wire transfer to a new overseas account for a confidential acquisition. The email matches the CEO’s known writing style precisely.
BrahmaFusion flags the transaction request before it reaches the wire desk:
- The email originated from an AiTM proxy domain registered 48 hours earlier (INDRA CTI IOC match)
- The CEO’s actual session shows no corresponding activity in the corporate email system around the email’s timestamp
- The payee account has no prior relationship in the organization’s transaction history
- The request bypassed the standard dual-approval workflow required for transfers above $1M
The BrahmaFusion playbook pauses the request, alerts the SOC and compliance team, and generates a case in Peris.ai IRP with full evidence chain. The attack is neutralized without reaching the wire desk.
Benefits at a Glance
| Benefit | Outcome |
| BrahmaFusion behavioral analytics | Detects AI-BEC even when content bypasses stylistic filters |
| Automated workflow tripwires | Wire transfer anomalies caught before human approval stage |
| INDRA CTI campaign tracking | Known BEC infrastructure blocked before first email lands |
| IRP evidence chain | Full forensic record for regulatory and legal response |
| 70% faster response (BrahmaFusion) | Rapid containment reduces exposure window for AiTM session hijacks |
The Authentication Stack Is No Longer Sufficient on Its Own
MFA was the correct response to credential theft. AiTM attacks are the response to MFA. The adversarial cycle does not stop at the authentication layer, and financial institutions that treat identity security as the final defense will be repeatedly outmaneuvered.
Behavioral analytics, real-time threat intelligence, and automated anomaly response are the layers that catch what authentication cannot. Peris.ai was built to operate at this level, with BrahmaFusion providing the intelligence-driven automation that financial security teams need to stay ahead of AI-powered fraud.
Visit peris.ai to see how Peris.ai’s agentic AI platform protects financial institutions from the next generation of BEC attacks.
Frequently Asked Questions
What is AI-powered BEC?
AI-powered business email compromise uses generative AI to create hyper-personalized, stylistically accurate executive impersonation emails, increasing click-through rates by up to 450% versus traditional phishing.
How does adversary-in-the-middle (AiTM) phishing bypass MFA?
AiTM phishing intercepts a user’s live authentication session, capturing the session token after the user completes genuine MFA. The attacker uses the captured token to authenticate as the user without ever needing the password or MFA code.
What are the signs of a dual-channel BEC attack?
An unsolicited request arriving simultaneously via email and phone or SMS, with urgency framing and a request that bypasses normal approval processes, is a strong indicator of a dual-channel BEC operation.
How much do BEC attacks cost financial organizations?
The FBI IC3 reported $2.7B+ in BEC-adjusted losses in 2024. The median ransom demand in financial services reached $3 million in 2026.
How does behavioral analytics catch AI-generated BEC emails?
Behavioral analytics focuses on communication context, not content: unusual timing, new payees, bypassed workflows, mismatched session activity, and infrastructure anomalies that AI-generated text cannot replicate.
Leave a Reply