The FBI IC3's 2023 Internet Crime Report put Business Email Compromise losses at $2.9 billion for that year alone — a figure that likely undercounts significantly given unreported incidents and losses absorbed as operational write-offs. But the dollar figure isn't the most operationally useful data point. What matters for IT and security teams is that BEC attack patterns have shifted substantially over the last two years in ways that render older detection approaches increasingly ineffective.
This article covers the patterns we see most frequently in 2025 across mid-market environments — companies in the 250- to 5,000-employee range that are large enough to be worth targeting but typically don't have a dedicated SOC. The goal is a direct operational read on what's changed and what to check in your current controls.
Pattern 1: Vendor Email Compromise Has Overtaken Internal Impersonation
Classic BEC spoofed the CEO or CFO. The attacker registered a lookalike domain, sent an urgent wire transfer request to the AP coordinator, and hoped the sense of executive authority would suppress skepticism. Security awareness training has made this scenario familiar enough that many organizations have trained employees to call back before processing unusual wire requests from executive addresses.
Vendor Email Compromise (VEC) is the evolution. Instead of impersonating an internal executive, the attacker compromises — or impersonates — a trusted external vendor. The email arrives in the context of an ongoing, legitimate business relationship. The invoice amounts are plausible. The language matches the vendor's actual communication style because the attacker has access to prior email threads, either through an account takeover (ATO) of the vendor's mailbox or through detailed OSINT on the vendor's public-facing communication patterns.
Consider a plausible scenario: a 1,800-employee professional services firm in the Southeast with a 12-year relationship with a regional IT hardware supplier. The attacker identifies the vendor from the firm's LinkedIn vendor acknowledgments, registers a domain with one transposed letter, and initiates contact about a "pending invoice" referencing an actual recent purchase order number pulled from a press release or government contract database. The AP coordinator, whose inbox includes dozens of vendor emails daily, processes the payment. The attack succeeds not because the employee was foolish but because the contextual signals of legitimacy were carefully assembled.
Microsoft's Digital Defense Report and Mandiant M-Trends both flag vendor email compromise as a top-growth BEC vector. The implication for detection is significant: email authentication controls on your own domain don't protect you from VEC attacks originating from vendor-lookalike domains.
Pattern 2: Multi-Stage ATO Before the Financial Request
Straightforward impersonation — a lookalike domain, a single email requesting payment — is increasingly only the opening move in more sophisticated campaigns. The 2025 pattern we see more frequently is a multi-stage approach where the attacker establishes trust before making the ask.
Stage 1 is the account takeover or impersonation. The attacker gains access to or credibly impersonates a legitimate email account — either internal (compromised M365 credentials via T1566.002 credential phishing) or external (vendor ATO). Stage 2 involves days or weeks of passive observation: reading email threads, understanding current business context, identifying payment flows and approval chains. Stage 3 is the insertion — the attacker injects into an existing email thread with a plausible mid-conversation message. "Hey, just a heads up, we updated our banking details last quarter, here's the new ACH info for this invoice." The thread history creates legitimacy. The request lands in context rather than cold.
This pattern is almost invisible to rule-based detection. The sending address is the real compromised account. The thread history is genuine. The DKIM signature is valid. The only signal that something is wrong is the semantic content of the message — a banking detail change injected into an existing conversation about an unrelated topic, a subtle shift in urgency register, a payment request that doesn't match the invoice cadence the target normally sees from that sender.
NIST SP 800-53 control AC-2 (Account Management) and IA-5 (Authenticator Management) are the relevant controls on the credential hygiene side — MFA and phishing-resistant MFA (FIDO2/hardware key) reduce ATO risk substantially. But they don't prevent the social engineering component once an account is compromised or credibly impersonated from a lookalike domain.
Pattern 3: W-2 and Tax Fraud Remain Seasonal and Underdefended
W-2 fraud spikes every January through April. The attack pattern is simple and consistently effective: an attacker impersonates a senior executive — often the CEO or CHRO — and emails HR or payroll staff requesting a list of all employee W-2 forms, or requesting that payroll direct deposit information be updated for specific employees. The IRS publishes annual warnings about this exact attack class, and the FBI IC3 includes it as a tracked BEC sub-category.
Despite being well-documented, W-2 phishing continues to land because it exploits a legitimate process (HR responding to executive requests for employee data) in a predictable time window. Detection requires recognizing the behavioral pattern — executive-to-HR with unusual data requests during tax season — not just matching a known-bad URL or attachment hash. This is exactly the kind of context-dependent, language-based signal that rules engines consistently miss and that warrants a second-look inspection layer on messages matching this profile.
Pattern 4: Gift Card Requests Are Still Working, Especially in Education and Nonprofit
It would be easy to dismiss gift card BEC as a low-sophistication attack that only catches unsophisticated organizations. The data doesn't support that dismissal. Gift card request attacks — where an attacker impersonating a senior leader asks an employee to purchase gift cards "for a client gift" or "for the team" — continue to generate millions in annual losses across a range of organization types.
The reason they persist is that they require no technical infrastructure and exploit well-understood human compliance dynamics. An employee receiving a personal email from what appears to be the CEO's address, marked urgent, requesting a time-sensitive favor, faces strong social pressure to comply before verifying. The attack succeeds not through technical sophistication but through authority manufacturing and urgency compression — two of the core social engineering indicators that appear as semantic patterns in email body language, not as detectable payload characteristics.
We're not saying gift card attacks indicate a systemic training failure at the organizations they hit. We're saying that security awareness training addresses the known playbook, and attackers adapt their language and framing to stay just outside what employees have been explicitly taught to recognize. Detection that operates on the language of the message — looking for urgency + authority + unusual request combinations regardless of the specific framing used — provides more durable coverage than training employees to recognize a fixed list of phishing scenarios.
Pattern 5: Supply Chain Phishing via Legitimate Service Abuse
MITRE ATT&CK T1566.003 (Spearphishing via Service) describes attacks delivered through legitimate platforms — DocuSign, SharePoint, Dropbox, Adobe Sign, Zoom invitations. The 2025 version of this pattern is more nuanced: attackers use legitimate free-tier accounts on these platforms to deliver lures, because the sending domain is genuinely docusign.com or sharepoint.com, which passes every blocklist check and authentication control.
A 400-employee financial services firm in the Northeast might receive a DocuSign envelope request from a real DocuSign account, created by an attacker using a free trial, pointing to a document that requests credential input to "verify identity before signing." The email is genuinely from DocuSign's infrastructure. The only detectable signal is the content — the urgency framing, the unusual signer identity, the request for credentials that a legitimate DocuSign workflow wouldn't make.
Microsoft's own research on Storm-0978 (publicly attributed, RomCom backdoor distribution) documented the use of legitimate cloud services to deliver phishing lures specifically because sending-domain reputation checks fail against this technique. Defending against service-abuse delivery requires content inspection that can evaluate the semantic intent of a message independent of the sending infrastructure's reputation.
What This Means for Your Detection Stack
Reviewing these patterns together, the consistent thread is that all five rely primarily on social engineering rather than technical payload delivery. The malicious content is the language of the email — the constructed authority, the false urgency, the plausible business pretext. Signature-based detection and URL/attachment sandboxing are necessary but structurally insufficient for these attack types.
The practical checklist for mid-market IT teams in 2025:
- DMARC at
p=rejectfor your domain and any subdomains used for email — this closes direct spoofing even if it doesn't address lookalike domains - Lookalike domain monitoring — registered alerts for new domains visually similar to yours and your top vendors
- MFA enforced across M365 with conditional access policies that block legacy authentication protocols, which are the primary ATO vector
- A second-look inspection layer for email body language — specifically targeting urgency + authority + unusual-action combinations in messages from first-time senders or lookalike domains
- Payment change verification process — out-of-band callback (phone, not email) before processing banking detail updates, regardless of how legitimate the email looks
The BEC threat type page has a deeper breakdown of how Phishaver's inspection layer targets these patterns specifically. For the detection methodology behind semantic analysis, see our piece on LLM-based analysis versus signature detection — the methodology section explains why language-level inspection catches what rules miss in each of the five patterns above.