Business email compromise (BEC) is frequently framed as an email scam, but research from Flare into underground criminal forums paints a more structured picture. Attackers treat BEC as an end-to-end operation, requiring patient reconnaissance, purpose-built infrastructure, and reliable monetization channels before a single fraudulent invoice is ever sent.

The Full Attack Chain

Initial access typically starts with a compromised organizational mailbox or a business SaaS account, with Microsoft 365 credentials among the most sought-after on criminal markets. Once inside, threat actors spend significant time mapping the organization: studying its financial hierarchy, procurement workflows, vendor relationships, and outstanding invoices. The goal is to insert a fraudulent payment request into an existing, trusted conversation using real names, real invoice references, and familiar language, making the message extremely difficult for employees to question.

Finance department accounts are particularly prized. Researchers found that actors specifically seek access to accounts receivable, accounts payable, payroll records, and customer payment data, all of which provide the context needed to craft a convincing fraud.

What the Forums Reveal

Flare researchers analyzed underground posts from the past year, including a January 2026 thread titled “Business Email Compromise (BEC) – Experiences and Discussion” started by a threat actor using the handle Bigjack. The discussion illustrates the operational mindset clearly. Bigjack described using remote access malware for initial compromise, then pivoting to mailbox access to send fraudulent invoices. His questions centered not on technical intrusion but on fraud execution: timing invoice delivery, manufacturing urgency, requesting large sums without triggering suspicion, and knowing which mistakes can expose the operation.

Replies from other participants reinforced several consistent themes: intercepting an active invoice payment is more effective than initiating a new one, identifying and targeting the employee who authorizes payments is critical, and reliable cash-out support is the single most important factor for success.

Cash-Out Remains the Hardest Problem

Monetizing a successful BEC intrusion requires a clean, operational receiving bank account, and finding one is consistently described by forum participants as the biggest bottleneck. Actors connect to money mule networks and specialist cash-out services to solve this problem. One actor using the handle neoresu offered cash-out services and described using call centers to pressure target companies into completing payments faster. Another actor, going by Capita, claimed six years of BEC activity across Germany, Finland, and Austria, and described using peer-to-peer money movement alongside call center operations.

AI Is Lowering the Barrier

Flare’s findings also note a growing interest in AI-assisted BEC, which threat actors say reduces the time needed to learn an organization’s communication style and improves the perceived quality of fraudulent correspondence. This trend suggests that the reconnaissance and drafting phases of BEC will become faster and more scalable.

Defensive Takeaways

  • Monitor SaaS account compromise signals, particularly for Microsoft 365 credentials appearing in criminal markets.
  • Implement strict payment verification procedures that require out-of-band confirmation for any change to banking details or payment destinations.
  • Train finance staff specifically, as they are the primary targets for both initial access and social engineering.
  • Treat unexpected urgency in payment requests, including follow-up phone calls, as a red flag consistent with known BEC tactics.

The forum data underscores that BEC is a well-documented, openly discussed tradecraft within criminal communities. Defenders who monitor these channels gain advance warning of the tactics, timing, and infrastructure attackers are actively refining.