Understanding Business Email Compromise and How It Drives Claims
Business Email Compromise drives billions in losses each year. Learn how BEC works, its impact on claims, and key defenses like out-of-band authentication.
Portions of this article were previously published in the Travelers' Cyber Threat Report
We’re now decades past when email scams became common knowledge. But even as other cybercrime tactics have come and gone, social engineering attacks remain one of the most common ways threat actors gain initial access to an organization’s systems. Once inside, threat actors can perform reconnaissance, exfiltrate (steal) data, deploy ransomware or do further social engineering to defraud the victim.
Social engineering has remained a common attack vector because it’s adaptable: threat actors can adjust their strategies to account for new defense technologies and changes in user awareness of their tactics.
Recently, we’ve seen threat actors moving beyond email inboxes and instead leveraging voice calls, QR codes, mobile messaging and collaboration platforms to bypass traditional defenses and exploit new environments. These alternate platforms will require new defense measures to be layered on top of existing practices around email.
In the past year, several documented cases have emerged of attackers utilizing collaboration software, such as common chat-based platforms that include voice or video calling, to help gain system access.
In the most recent edition of the Travelers Cyber Threat Report we describe a real-life example of how these campaigns can work. The situation began with the threat actor setting off a flurry of spam emails to an individual to manufacture an IT “issue,” then posing as IT support staff and contacting the victim through chat messages and through collaboration software. Using this tactic, the threat actor succeeds in convincing the victim to install a remote-access tool that enabled the threat actor to install malware and enable further intrusion.
In other campaigns threat actors have invited victims to spoofed meetings that mimic the look of common video conferencing software products. If the victim clicks through to join, the threat actor can gain unauthorized access to the victim’s computer or phone through a remote access trojan (RAT). Attackers have also used shared links or bots to insert malicious messages that resemble internal communications.
These examples illustrate how threat actors have expanded their social engineering "playbook" by adding multiple communication channels to attack a single target. It’s key to note that most of these tactics hinge on how a business’ settings are configured. The software can be set to allow for calls or messages from outside of the organization to reach employees, or that ability can be limited to varying degrees. The takeaway should not be that collaboration tools are uniquely dangerous, but rather that, being relatively new, not every organization may have thought through the setup and configuration of every tool, or trained employees sufficiently of the potential dangers of having those settings enabled.
Just as it took many years for email security best practices to spread to organizations of all shapes and sizes -- something that’s still happening today -- organizations should expect that their approach to integrating other forms of communication software will need to evolve in response to attack trends.
A complement to the use of collaboration software to perform phishing exploits is the use of voice calls on various platforms, be it a conventional phone call or app-based voice call. This “vishing” (voice phishing) tactic is rapidly evolving thanks to Artificial Intelligence (AI)-generated deepfake voices that are capable of real-time conversation. This technology breaks down barriers that threat actors previously faced in attempting to use voice calls as part of their scheme, namely being able to converse in the victim’s native language fluently and without any phrasing that might raise suspicion on the part of the victim.
In one of the most striking cases to date, an employee at an international engineering firm was duped into transferring over $25 million after participating in a video call with what appeared to be multiple company executives, including the CFO. The meeting was fabricated using deepfake avatars and voices. Similarly, last year executives from large, publicly traded companies were targeted through common messaging platforms using deepfaked voice notes—another sign that threat actors are blending generative AI with high-trust channels in their efforts to defraud companies.
Researchers have shown how easily scammers can now clone voices from short audio clips. In one demonstration, an AI-generated caller was able to access bank account information using personal information that would be easily obtained on dark web marketplaces.
For better or worse, this technology isn’t just evolving in a shadowy corner of the dark web. New tools that are widely and publicly available make it possible to synthesize realistic voice impersonations in seconds, and the volume of deepfake-enabled phishing continues to rise. In fact, SecurityWeek reported a 173% increase in the use of synthetic voices in phishing attacks between Q1 and Q4 2024. 
In February 2025, organizations began receiving physical letters claiming to be from the threat actor BianLian. These letters stated that a ransom payment was required to prevent the exposure of data that had supposedly been exfiltrated from the targeted organization. Upon investigation, none of the targeted organizations found any evidence of actual data theft or system breaches, which limited the impact of the letters – although the novelty of the attack style generated widespread interest. Recently physical mail has also been used to target individuals, with fake letters sent impersonating governmental agencies and packages supposedly coming from national retailers, in each case containing a malicious QR code.
These attacks may not represent a major new avenue for threat actors, but they underscore the extent to which any means of communication with an organization’s employees is now “in play” as a potential social engineering exploit. 
To respond to this new landscape, organizations should expand security awareness training beyond email. Companies should train their employees to recognize social engineering attempts across collaboration platforms, video calling software and even their own private text messages. IT teams should audit their settings and configurations for all communication software — especially those that allow external contact – and should implement a call-back verification process for sensitive requests.
Attackers are no longer just targeting the inbox. Companies must evolve their defenses to help address these new threat vectors.