"Business Email Compromise (BEC) is often described in the media as merely an email scam, but in reality, it’s part of an organized broad operation," Flare researchers wrote — a concise description that underpins new visibility into how modern BEC schemes are planned and executed.
Bigjack's January 2026 thread: an operational playbook
Flare sampled an underground forum thread titled “Business Email Compromise (BEC) – Experiences & Discussion,” created by a threat actor named Bigjack in January 2026. The post lays out an attacker workflow that begins with remote access malware to gain initial entry, followed by mailbox compromise and the use of those mailboxes to send fraudulent invoices. The discussion focused less on intrusion mechanics than on the practical fraud elements: when to send invoices, how to create urgency, how to request large sums without arousing suspicion, what mailbox metadata to reuse, what proof to provide if questioned, and which mistakes can ruin an operation.
AI-powered tooling: blackhatpakistan's describing of synthetic correspondence
Underground posts reviewed by Flare indicate attackers are increasingly using AI to raise the quality and scale of BEC. A user named blackhatpakistan described AI-generated business correspondence that mimics executive and employee writing styles, creates context-aware payment requests, and produces thousands of unique email variations. Flare notes dedicated underground tools are promoted to generate entire email conversation chains, enabling attackers to hijack existing discussions and inject fraudulent payment requests with higher authenticity.
Cash-out: the real bottleneck (neoresu and Capita)
Across the sampled posts, monetization — not initial access — emerges as the hardest part. Flare reports that cash-out requires finding a reliable, operational, and “clean” receiving bank account or working with mule networks and cash-out services. A participant named neoresu stressed that the person who validates payments needs special care and offered services while discussing the use of call centers. Another actor, Capita, described six years of BEC activity in Europe (noting Germany, Finland, and Austria) and cited peer-to-peer money movement alongside call-center pressure as cash-out techniques. Forum threads also include explicit recruitment of money mules for business bank accounts and fast transfers.
Call centers: follow-up calls as a force multiplier
Flare highlights that BEC is often multi-channel. In the Bigjack thread, actors asked when to call after sending a fraudulent invoice, and at least one participant claimed to operate a call center used to press targets into faster payments. The report warns defenders that a follow-up call — a separate channel introduced or controlled by the attacker — should not be treated as independent proof of authenticity.
Flare's practical advice: detect underground signals and harden access
Flare offers specific defensive measures tied to the signals it monitors. Defenders should prioritize protection for leadership, finance, and procurement personnel because threat actors explicitly target those accounts to learn accounts receivable and payable, payrolls, invoices, overdue payments, and customer payment relationships. The report urges organizations to identify AI-generated content and deep-fake artifacts, and to educate employees about call-center pressure techniques and timing cues attackers exploit (such as approvers on vacation).
Operationally, Flare says its monitoring of deep and dark web sources for exposed employee credentials, corporate domains, login portals, SaaS applications, and related indicators enables teams to detect when access points appear in credential collections or search-service advertisements. When exposures are detected, Flare recommends immediate mitigations such as password resets, session revocation, multifactor authentication enforcement, and investigation of possible account misuse.
What this means for corporate leadership, financial teams, and security teams
- Corporate leadership: attackers are specifically interested in leadership and financial employees; extra scrutiny and tailored training are recommended for those roles.
- Financial teams and procurement: because actors map procurement processes, these teams should validate unusual timing, payment destinations, and last-minute changes — and treat new call channels with skepticism.
- Security teams: monitoring for exposed credentials, SaaS account compromises (the report names O365 as an example of targeted SaaS), and indicators on underground forums can provide early warning before fraudulent invoices are sent.
Flare's underground sweep reframes BEC as an organized, multi-step criminal business that combines mailbox compromise, social engineering, synthetic content, telephone pressure, and complex cash-out networks. The reporting leaves a clear operational mandate: detect exposures far upstream, harden the accounts attackers prize, and do not accept a phone call as independent verification when the call itself may be part of the attack.
