High-value BEC persistence and approval-phishing
Key Questions
What are the latest statistics on BEC and VEC attack prevalence?
BEC accounts for 61% and VEC for 26.5% of vendor spoof incidents, with 74% of payments fraud cases involving BEC according to the 2026 AFP survey. AI adoption in these attacks stands at 17%, and overall FBI-reported losses exceed $3 billion.
What new real-world cases demonstrate AI-powered BEC threats?
A car dealership lost $1 million through spoofed bank calls and real-time wire manipulation, while Wells Fargo and Arup each suffered around $25 million from AI-generated payroll and invoice scams. A global stock exchange executive was compromised for five months using legitimate tools like Aspose and Dropbox.
How are attackers bypassing email authentication in VEC campaigns?
Attackers use single-hyphen lookalike domains that pass SPF/DKIM/DMARC when they own the domain and set p=none, combined with exact display-name spoofing. Direct Send abuse and link laundering via trusted security vendors like Egress and Barracuda also enable DMARC bypass.
What is Ghost phishing and its impact on organizations?
Ghost phishing employs living-off-the-land techniques, session hijacking to bypass MFA, and AI conversation continuity, including shared mailbox abuse. It led to a $2.4 million loss in manufacturing and shows a 44% engagement rate in VEC attacks with most incidents unreported.
What emerging services are fueling deepfake BEC scams?
Dark Web Deepfake-as-a-Service offerings have driven a 39% surge in discussions and contributed to $2.7 billion in BEC losses, including a $25 million video-conference case. The ARToken platform adds inbox rule manipulation and seven-layer anti-analysis for targeted vendor spoofing.
Abnormal BEC>VEC (61%/26.5% vendor spoof); AI payroll/invoices/deepfakes (Wells $25M, Arup $25.6M). FBI $3B; AI voice vishing. New concrete case: $1M loss at car dealership via spoofed bank phone and real-time wire manipulation. FINRA oversight urged. New case: Global stock exchange executive compromised for months via email espionage using legitimate tools (Aspose, Dropbox) for exfiltration; 5-month dwell time, repeated inbox theft. Highlights CASB/DLP defenses. New: 2026 Payments Fraud Playbook (AFP survey) reports 74% BEC, 17% AI adoption, advocates deterministic controls over manual review. New: Mitigating Phishing and BEC Attacks paper narrows BEC research to real estate sector. AI-Powered Impersonation Attacks article adds taxonomy of six AI impersonation types including deepfake CEO cases. New: Dark Web Deepfake-as-a-Service surge fuels $2.7B BEC scams – marketplace commoditization of deepfake tools, 39% dark web discussion surge, $25M video conference case reinforces scalability threat. FTC data (2025) shows bank impersonation drove $1B in losses. New: ARToken BEC-as-a-service platform (linked to EvilTokens) with inbox rule manipulation, shared access links, seven-layer anti-analysis, targeted lures spoofing real vendor relationships (e.g., Wisconsin contractor to life sciences company). Adds to growing PhaaS/BEC-as-a-service landscape; financial sector targeting not yet confirmed. New: Detailed VEC case study (2026-06-24) shows single-hyphen lookalike domain bypassing SPF/DKIM/DMARC because attacker owned domain and set p=none; used known contact's exact display name and commodity sales platform. Only link analysis and relationship history caught it. Textbook example of authentication failure against lookalike domains – critical for financial orgs relying on DMARC enforcement. Adds concrete IOCs and MITRE mapping. New: Article on manufacturing BEC highlights Direct Send abuse as a technique to bypass DMARC by sending from authenticated domains with permissive SPF; advocates RejectDirectSend and supplier DMARC enforcement. These techniques are directly transferable to high-value financial orgs. FBI data reports $893M in AI-powered scam losses in one year (Malwarebytes), confirming scale but lacking technical depth. New: Link laundering technique using trusted security vendor wrappers (Egress, Barracuda) to hide credential-harvesting destinations – DMARC pass on unrelated Saudi domain via Amazon SES. Financial pretext (Regions Bank benefits). Extends laundering trend. New: VEC engagement rate of 44% reported in gated study (98.5% unreported), reinforcing visibility gap but lacking technical depth. New: Ghost phishing technique (living-off-the-land, MFA bypass via session hijacking, AI conversation continuity) with $2.4M manufacturing case and shared mailbox abuse – detailed TTPs for financial orgs. New: DocuSign-themed phishing deploying ScreenConnect (RMM) via signed installer, using Cloudflare Turnstile for trust and victim tracking; IOCs and MITRE mapping available. Adds to LotL/RMM abuse trend for financial orgs.