Why do AI-assisted phishing and BEC campaigns succeed more often?

They succeed because AI improves scale, targeting, and language quality at the same time. That makes fraudulent requests harder to distinguish from legitimate ones and increases the number of attempts that can be tailored to a victim’s role, relationships, or routine business processes.

Why This Matters for Security Teams

AI-assisted phishing and business email compromise succeed because the attacker no longer needs perfect tradecraft to get a useful result. Large language models improve message quality, localise tone, and help criminals sustain volume while still sounding specific to the target’s role, vendor relationships, and approval habits. That shifts the problem from obvious spam detection to trust validation under time pressure.

For defenders, the important issue is not only better phishing copy. AI also supports faster recon, more convincing impersonation, and iterative testing of which pretexts get replies. The result is a campaign that can adapt midstream instead of following a fixed template. Guidance from the NIST Cybersecurity Framework 2.0 still applies, but the threat now arrives with more context and less grammatical friction than older attacks. NHIMG’s analysis of the DeepSeek breach shows how quickly exposed data and credentials can be assembled into broader abuse patterns once attackers find a foothold.

In practice, many security teams encounter the impact only after a finance approval, password reset, or wire request has already been executed, rather than through intentional detection of the campaign itself.

How It Works in Practice

AI improves phishing and BEC in three operational ways: it makes the message more believable, it makes targeting more precise, and it makes iteration cheap. Attackers can draft emails that mimic internal language, mirror executive communication patterns, and adapt to industry-specific vocabulary. They can also generate many variants quickly, which lets them test subject lines, urgency cues, and payment instructions until one lands.

The practical defence challenge is that content quality is only one part of the attack path. AI-assisted campaigns often combine email impersonation with account takeover attempts, callback scams, fake document workflows, and vendor compromise. The most effective programmes treat these as identity and process abuse problems, not just message filtering problems. That means adding verification steps to high-risk actions, strengthening payment-out-of-band controls, and training staff to validate requests when the cost of error is high.

Current guidance suggests the strongest controls are layered and procedural:

• Use phishing-resistant authentication for privileged users and payment approvers.
• Require secondary verification for bank detail changes, payroll updates, and urgent transfer requests.
• Monitor for lookalike domains, mailbox rule tampering, and unusual sender relationships.
• Apply policy-based approval workflows to reduce reliance on email alone.

For organisations handling secrets and automation, the broader lesson from NHIMG’s The State of Secrets in AppSec is that weak handling of sensitive material gives attackers more usable context once they gain access. That is why AI-assisted BEC succeeds best where business process controls are informal, approvals are rushed, and identity signals are not independently verified. These controls tend to break down in distributed finance operations because routing, approvals, and exceptions are already fragmented across teams and tools.

Common Variations and Edge Cases

Tighter verification often increases friction, so organisations must balance fraud resistance against the speed of legitimate business operations. That tradeoff is especially visible in sales, procurement, payroll, and executive support functions where urgency is common and exceptions are routine.

There is no universal standard for every scenario, but current guidance suggests a few patterns. Internal-only impersonation can be harder to spot than external spoofing because the attacker may compromise a real mailbox and inherit trust from prior conversations. Vendor BEC can also bypass technical controls when the fraud occurs through a real supplier channel with legitimate historical context. In those cases, the issue is not whether the email looks polished, but whether the receiving workflow requires independent proof before action.

AI also changes the economics of multilingual phishing. Messages can be tailored to regional norms, grammar expectations, and local business etiquette, which reduces the traditional red flags that staff are trained to spot. Security teams should therefore focus on process hardening, anomalous transaction monitoring, and user reporting paths that are easy to use under pressure. A campaign can still fail even when the language is perfect if the organisation forces high-risk requests through separate channels and confirms them through a trusted contact method.

Where this guidance breaks down most often is in highly decentralised organisations that allow ad hoc approvals and lack a single system of record for sensitive payment or identity changes.

Related resources from NHI Mgmt Group

• Why do AI-generated phishing campaigns increase risk for public-sector agencies?
• How should security teams respond to AI-assisted phishing and social engineering?
• How should security teams respond to AI-generated phishing campaigns?
• How can organisations prepare for faster AI-assisted abuse campaigns?