Businesses are familiar with Business Email Compromise attacks. For those new to the term, BECs are sophisticated schemes in which criminals impersonate top executives, employees or trusted vendors to steal funds or sensitive information.
These attacks typically occur through email — hence the name. But with the rise of artificial intelligence, combined with old‑school social engineering, BEC attempts are becoming more frequent and more convincing.
Now, professional criminals are taking the tactic a step further. Using a new method known as dual‑channel BECs, they communicate through multiple channels at once to bypass existing cyber defenses.
“Millions of records are now available due to recent data breaches,” said Jeff Taylor, head of Commercial Fraud Forensics at Regions Banks. “Fraudsters combine all this data and attack with multiple points of contact to create urgency and weaken defenses.”
How It Works
A dual‑channel BEC remains rooted in email, but adds another layer: an immediate phone call or text message to reinforce the fraudulent request.
Here’s how a typical attack unfolds:
- Step 1: An urgent email arrives — usually from someone impersonating a CEO, senior executive or vendor — requesting a payment or account change.
- Step 2: Within minutes, the victim receives a follow‑up message through another channel, such as a phone call or text, “confirming” the fake request.
Sometimes the order is reversed. The goal is psychological reinforcement. While we may rebuff a single attempt, we instinctively trust repeated requests when they appear to come from people we work with.
Cybercriminals understand this — and they exploit it.
“Using multiple channels to contact you can create an illusion of legitimacy,” said Hunt Prothro, Fraud Prevention Manager at Regions. “You need to be inherently suspicious of digital communications and resist the temptation to act on seemingly urgent requests.”
Common Attack Sources
Dual‑channel BEC attempts often impersonate:
- CEOs or senior executives requesting urgent transfers
- Vendors claiming they need updated payment instructions
- IT staff asking for security verification
- Debt collectors demanding immediate payments
How to Prevent These Attacks
- Establish clear protocols: Require employees to confirm any request for funds or sensitive information by calling a verified number on file.
- Empower employees: Reinforce that delays are acceptable — and expected — when verifying financial or security‑related requests.
- Use multiple approvals: Adding a second approver reduces risk and slows down fraudulent attempts.
- Be suspicious of channel changes: Requests to switch from standard communication methods (such as email or official phone numbers) to texts or personal email should be treated as red flags. Legitimate businesses rarely use informal channels for financial transactions.
- Provide ongoing education: Regular training helps employees recognize existing and evolving threats, and respond appropriately.
While dual‑channel BECs are growing exponentially, the simplest defense is having a reliable response and control in place.
Jeff Taylor, head of Commercial Fraud Forensics at Regions Banks
“At Regions, we emphasize STOP, CALL and CONFIRM to our associates and our customers,” Taylor said. “Stop your process, call the requestor at a number you know – not the number in the email or text – and confirm the request is legitimate. While dual‑channel BECs are growing exponentially, the simplest defense is having a reliable response and control in place.”
Additional Resources from Regions.com
Related Articles from Doing More Today
The information presented is general in nature and should not be considered, legal, accounting or tax advice. Regions reminds its customers that they should be vigilant about fraud and security and that they are responsible for taking action to protect their computer systems. Fraud prevention requires a continuous review of your policies and practices, as the threat evolves daily. There is no guarantee that all fraudulent transactions will be prevented or that related financial losses will not occur. Visit regions.com/STOPFRAUD or speak with your Banker for further information on how you can help prevent fraud.