Businesses are familiar with Business Email Compromise attacks. For those new to the term, BECs are sophisticated schemes in which criminals impersonate top executives, employees or trusted vendors to steal funds or sensitive information.
With the rise of artificial intelligence, combined with old‑school social engineering, BEC attempts are becoming more frequent and more convincing.
Now, professional criminals are taking the tactic a step further. Using a new method known as dual‑channel BECs, they communicate through multiple channels at once to bypass existing cyber defenses.
“Millions of records are now available due to recent data breaches,” said Jeff Taylor, head of Commercial Fraud Forensics at Regions Banks. “Fraudsters combine all this data and attack with multiple points of contact to create urgency and weaken defenses.”
How It Works
A dual‑channel BEC remains rooted in email but adds another layer: an immediate phone call or text message to reinforce the fraudulent request.
Here’s how a typical attack unfolds:
• Step 1: An urgent email arrives — usually from someone impersonating a CEO, senior executive or vendor — requesting a payment or account change.
• Step 2: Within minutes, the victim receives a follow‑up message through another channel, such as a phone call or text, “confirming” the fake request.
Sometimes the order is reversed. The goal is psychological reinforcement. While we may rebuff a single attempt, we instinctively trust repeated requests when they appear to come from people we work with.
Cybercriminals understand this — and they exploit it.
“Using multiple channels to contact you can create an illusion of legitimacy,” said Hunt Prothro, Fraud Prevention Manager at Regions. “You need to be inherently suspicious of digital communications and resist the temptation to act on seemingly urgent requests.”
Common Attack Sources
• Dual‑channel BEC attempts often impersonate:
• CEOs or senior executives requesting urgent transfers
• Vendors claiming they need updated payment instructions
• IT staff asking for security verification
• Debt collectors demanding immediate payments
How to Prevent These Attacks
1. Establish clear protocols: Require employees to confirm any request for funds or sensitive information by calling a verified number on file.
2. Empower employees: Reinforce that delays are acceptable — and expected — when verifying financial or security‑related requests.
3. Use multiple approvals: Adding a second approver reduces risk and slows down fraudulent attempts.
4. Be suspicious of channel changes: Requests to switch from standard communication methods (such as email or official phone numbers) to texts or personal email should be treated as red flags. Legitimate businesses rarely use informal channels for financial transactions.
5. Provide ongoing education: Regular training helps employees recognize existing and evolving threats, and respond appropriately.
“At Regions, we emphasize STOP, CALL and CONFIRM to our associates and our customers,” Taylor said. “Stop your process, call the requestor at a number you know – not the number in the email or text – and confirm the request is legitimate. While dual‑channel BECs are growing exponentially, the simplest defense is having a reliable response and control in place.”
John Howie, Metro Jackson Market Executive for Regions Bank
