Why Technology Can't Stop BEC

On August 14, 2019, a European subsidiary of Toyota Boshoku Corporation — a major Toyota parts supplier — received what appeared to be a routine payment instruction from a trusted business partner. The payment details had changed. A finance employee processed the request. By the time anyone noticed something was wrong, approximately $37 million had been wired to accounts controlled by attackers.

No links were clicked. No malware was deployed. No systems were breached. No one’s password was stolen. It was just an email asking for money, and it worked.

Or consider the Massachusetts Workers’ Union: in January 2023, a routine note arrived from what appeared to be their investment manager, requesting a transfer to a new account. $6.4 million was stolen. Investigators managed to seize $5.3 million, but the remaining funds had already been laundered through accounts in Asia and converted through cryptocurrency exchanges.

These aren’t technology failures. The technology worked exactly as designed. The problem is that BEC attacks are designed to be invisible to technology.

---

What email security tools actually look for

Every enterprise email security platform — Microsoft Defender, Proofpoint, Mimecast, Abnormal — scans incoming emails for the same set of signals. Here’s what they look for, and what BEC emails contain instead:

What security tools scan for	What BEC emails contain
Malicious URLs — scan, sandbox, block	No URLs at all — just text
Malicious attachments — detonate, analyze	No attachments — just a request
Known malware signatures	No malware of any kind
Spoofed sender domains — SPF/DKIM/DMARC	Real sender from compromised account — passes everything
Suspicious language patterns	Correct grammar, professional formatting, appropriate tone
Unfamiliar references	Accurate references to real projects, real people, real amounts

The fundamental problem: BEC emails are technically indistinguishable from legitimate business emails. There is nothing for technology to detect. The email is genuine text, from a genuine account, about a genuine project, requesting a normal-sounding action. The only thing that’s wrong is the intent behind it.

It’s like trying to build a machine that can tell the difference between a legitimate invoice and a fraudulent one — when the fraudulent one is formatted correctly, references a real contract, and comes from the right email address. The information is accurate. The request is plausible. The sender is verified. The technology has nothing to flag.

---

The AI amplification problem

As if BEC weren’t hard enough to detect, AI tools are making the problem worse:

• Non-native English speakers can now produce flawless, professional business English that’s indistinguishable from a native speaker’s writing
• AI can match writing style. Given a few sample emails from the person being impersonated, AI can generate messages that match their vocabulary, sentence structure, and communication patterns
• AI generates variations at scale. Instead of reusing the same template across thousands of attacks (which pattern detection can catch), AI creates unique variations for each target, making signature-based detection essentially impossible

Before AI, many BEC emails had subtle tells — unusual phrasing, awkward grammar, a tone that didn’t quite match the supposed sender. Those tells are disappearing. The emails are getting better faster than the detection tools can keep up.

---

Phishing-as-a-Service lowers the bar

BEC used to require a skilled attacker: someone who could compromise an account, study the victim, and craft a convincing request. Not anymore.

The Phishing-as-a-Service economy has commoditized the entire process:

• At least 145 distinct threat actors reference EvilProxy on dark web forums — a platform that provides ready-made phishing infrastructure
• PhaaS kits like Tycoon 2FA, Sneaky2FA, and EvilProxy doubled in volume by 2025
• According to Flare’s 2024 analysis, 90% of high-volume phishing campaigns now use commercially available kits
• These kits can bypass MFA, capture session cookies, and provide dashboard-style interfaces for managing attacks

This means BEC is no longer limited to sophisticated criminal organizations. The tools are available, affordable, and come with customer support. The barrier to entry has dropped to near zero.

---

If not technology, then what?

This is the uncomfortable conclusion: if BEC emails contain nothing malicious for scanners to detect, no scanner can save you. The defense has to be something else entirely.

That “something else” is process — simple verification steps that cost nothing, take minutes, and work regardless of how convincing the email looks. The next lesson covers exactly what those processes are.

But before we get there, it’s worth sitting with the discomfort for a moment. We’ve been trained to believe that technology protects us. We buy security tools, configure spam filters, deploy AI-powered email analysis. And those tools DO protect against the vast majority of phishing — the mass-market attacks with suspicious links and malware attachments.

But BEC is the category that technology fundamentally cannot solve. The defense requires human judgment, supported by organizational processes that create mandatory verification points. And those processes add friction. That friction is the defense.