The Scam Email Followed by a Phone Call Is Business Email Compromise's New Playbook

Your finance team receives an urgent email from the CEO requesting an immediate wire transfer. Before anyone can question it, the phone rings. A caller claiming to be the CEO's assistant confirms the request and presses for fast action.

The email alone might have raised suspicions. Combined with a confirming phone call, it feels legitimate. And that's exactly what criminals are counting on.

Welcome to dual-channel business email compromise, the evolved form of one of the most expensive cybercrimes facing organizations today.

The Numbers Are Staggering

Business email compromise remains one of the costliest cyberattacks. According to FBI data, BEC caused over $2.7 billion in adjusted losses in 2024 alone. Research shows BEC attacks are the second most expensive type of breach, costing organizations an average of $4.89 million per incident.

And the problem is growing. LevelBlue SpiderLabs tracked a 15 percent increase in BEC activity throughout 2025, with attackers adopting increasingly sophisticated techniques.

The shift to dual-channel attacks explains why: as organizations improve email security, criminals are finding new ways around those defenses.

How Dual-Channel Attacks Work

The concept is simple but devastatingly effective. Criminals use multiple communication channels, either simultaneously or in sequence, to make their scam more convincing.

The most common pattern: a fraudulent email demanding an urgent payment arrives, followed almost immediately by a phone call, SMS, or WhatsApp message that appears to confirm the request.

Sometimes the order is reversed. A phone call establishes context first, followed by an email providing written instructions that reference the call.

LevelBlue's systems tallied over 5,000 unique dual-channel attacks in 2025. In 66 percent of cases, criminals tried to move conversations to traditional SMS messaging. In 32 percent, they shifted to messaging apps like WhatsApp. The remaining 2 percent redirected victims to personal email addresses.

Why It Works

Dual-channel attacks exploit a fundamental aspect of human psychology: we trust confirmation from multiple sources.

An email alone might trigger suspicion. Training has taught employees to verify unusual requests. But when that email is followed by a phone call from someone who sounds authoritative and references the email, the verification feels like it already happened.

Authority bias plays a critical role. When requests appear to come from executives, vendors, or other authority figures, employees feel compelled to act quickly. The combination of email and voice contact lowers the chance that anyone demands further verification.

Security researchers note that the shift reflects stronger email security controls adopted by many organizations. As technical defenses improve, criminals are relying less on a single channel and more on coordinated pressure across multiple platforms.

Callback Phishing: Making Victims Initiate Contact

A related technique that more than doubled in popularity during 2025 is callback phishing, where criminals encourage victims to call them first.

An email might claim there's a problem with an invoice, a subscription renewal, or a security alert. Instead of including a malicious link, it provides a phone number to call.

When the victim calls, they reach a criminal who uses social engineering to extract payment information, credentials, or remote access to their computer.

This technique is particularly effective because the victim initiated the contact. They don't feel like they're being scammed because they made the call.

Common Attack Themes

BEC attacks typically impersonate specific types of senders:

• CEOs and senior executives requesting urgent transfers
• Vendors with updated payment instructions
• Debt collection agencies demanding immediate payment
• IT staff requiring credential verification

Popular email themes include queries about availability, invoice or wire transfer requests, and payroll detail changes. Researchers have noted that attackers are using longer message bodies than in the past, adding details designed to appear more authentic.

Multi-Persona Impersonation

Some sophisticated attacks now use fake email threads involving multiple personas. A victim might receive what appears to be a forwarded conversation between the CEO and CFO discussing a confidential acquisition, with instructions to wire funds to a specific account.

The fake thread provides context and makes the request seem like part of an ongoing business decision rather than an isolated demand.

When combined with a follow up phone call, these attacks can be nearly impossible to distinguish from legitimate business communications.

Protecting Your Organization

Defending against dual-channel BEC requires more than technical controls. Organizations need cultural and procedural changes:

Establish verification protocols: Any request for payment or sensitive information should require verification through a channel the requestor did not initiate. If someone calls to confirm an email, call back using a known number from your records.

Create a verify first, pay later culture: Employees should feel empowered to delay urgent requests while verifying. Make it clear that no one will be punished for taking time to confirm a legitimate request.

Implement stricter financial controls: Require multiple approvals for large transfers. Establish out of band verification for any changes to vendor payment information.

Train continuously: Regular staff training, simulated phishing, and social engineering exercises help employees recognize attack patterns. Training should specifically address multi-channel scenarios.

Be suspicious of channel switching: Any request to move communication from email to SMS, WhatsApp, or personal email should be treated as a red flag.

The Future of BEC

Security experts expect dual-channel BEC attacks to become the norm rather than the exception. As AI makes voice impersonation easier and attackers become more sophisticated, the line between legitimate and fraudulent communications will continue to blur.

Organizations that rely solely on email security tools will find themselves increasingly vulnerable. The most effective defense combines technical controls with human awareness and rigorous verification procedures.

The next time an urgent request arrives followed by a confirming phone call, that confirmation should make you more suspicious, not less. In the era of dual-channel BEC, the extra effort to verify might be the only thing between your organization and a multimillion dollar loss.