So-called ‘dual-channel’ attacks using multiple methods of communication either simultaneously or in sequence are becoming more prevalent as digital fraudsters seek out new ways to defeat cyber protections against business email compromise (BEC) scams, according to new data from security services supplier LevelBlue.
BEC attacks – which spoof trusted entities, often c-suite executives, then use their identities to convince victims to transfer money into the attackers’ pockets – have long been a bugbear for enterprise defenders.
“[BEC] continues to be one of the costliest cyber attacks as reported by the FBI’s IC3, with over $2.7bn (£2bn) in adjusted losses in 2024 alone,” wrote LevelBlue researcher Katrina Udquin.
“BEC attacks are not slowing down, and fraudsters continue to evolve their scamming techniques and arsenal,” she said.
According to LevelBlue, last year its systems observed a significant increase in BEC attacks in which the initial lure was a request for contact, seeking to establish the potential victim’s mobile number or personal email address. A total of 43% of lures that it saw took this form, compared to 31% which took the form of a more traditional request for a payroll transfer, and 10% which asked for invoice payments or wire transfers.
Such request for contact lures are very often a precursor to a dual-channel attack seeking to move the conversation to an alternative platform.
LevelBlue’s systems tallied over 5,000 unique dual-channel attacks in 2025, and found that in 66% of them, the cyber fraudsters tried to move the conversation to traditional SMS messaging, in 32% of cases to messaging applications such as WhatsApp, and in 2% of cases to personal email addresses.
The rationale behind this tactic is a relatively simple one – external mobile networks, messaging applications and personal email addresses will in almost all circumstances fall well beyond the purview of any enterprise IT security department.
Done successfully, a dual-channel attack renders expensive email protection services basically useless, meaning all security teams can do is hope that the social engineering modules of their cyber training courses have been effective.
Related to this, LevelBlue said it also observed an increase in callback phishing, in which the criminals encourage their mark to reach out first by contacting a specified malicious phone number. This tactic more than doubled in popularity during 2025. Callback phishing is effective because it relies heavily on authority bias and a sense of urgency, exploiting people’s tendency to take messages or instructions from people in positions of authority seriously.
Emerging trends
According to LevelBlue’s data – gleaned largely from its proprietary MailMarshal defence service – 2025 saw a number of other notable trends developing in the BEC sphere.
Among these were the emergence of longer-form BEC emails. While BEC spam has traditionally been rather concise, more longer, well-crafted messages are now increasingly being seen, likely a result of cyber fraudsters trying to make their emails more elaborate and more authentic. Often, said LevelBlue’s researchers, longer emails appear to be being generated with the ‘help’ of generative artificial intelligence (GenAI) large language models (LLMs).
The past 12 months also saw a spike in attacks using multiple-personas and crafted email threads, where the victim appears to be copied in on an ongoing email chain. This tactic has been well-used for the past four or five years by nation-state threat actors targeting individuals of interest, such as academics, activists, diplomats, journalists or politicians, but is now spreading among financially-motivated groups, too.
In a criminal context multiple-persona impersonation and email threads seem to be being used predominantly in invoice payment fraud, with the spoofed identities often including the victim’s third-party suppliers.
Preventing BEC: Back to basics
Although cyber criminal tactics around BEC are clearly evolving, defenders can take solace from the fact that the best ways to protect against it are tried and tested.
Naturally, it remains an absolute imperative that staff across the organisation are educated on how to identify potential BEC spam email indicators.
Beyond this, security teams should ensure that they work with compliance and financial colleagues to ensure the organisation performs rigorous identification and verification checks when making external payments.
Finally, limiting access controls to organisational systems, records and documentations, and protecting these with multifactor authentication (MFA) as standard, can inhibit the risk of data theft.
