Business Email Compromise is the second most financially damaging cybercrime reported to the FBI — not because it involves sophisticated technical exploits, but because it exploits something more fundamental: trust in a familiar name. An attacker doesn't need to break into a system. They simply need you to believe the email came from someone it didn't.
At the core of the most sophisticated BEC campaigns is a technique called a homoglyph attack — the substitution of legitimate letters with visually identical characters from other alphabets. The Cyrillic letter "а" and the Latin letter "a" are indistinguishable to the human eye. They are not the same character. A domain built with one looks identical to a domain built with the other, but leads somewhere entirely different. An email sent from that domain bypasses the mental checkpoint every employee uses when they decide whether to trust a message: does this look like it came from who it says it came from? The answer, when homoglyphs are involved, is always yes — until the wire transfer is gone.
Scale of the threat: The FBI IC3 reports nearly $55.5 billion lost to BEC over the past decade, with $2.8 billion in 2024 alone. BEC attacks increased 15% in 2025, and by mid-2024 an estimated 40% of BEC phishing emails were AI-generated — making them nearly indistinguishable from genuine business correspondence. 63% of organizations experienced at least one BEC attempt in 2025.
Every character displayed on a screen has a unique numerical identifier assigned by the Unicode standard — the global system that allows computers to represent text in every language on earth. The Latin letter "a" is U+0061. The Cyrillic letter "а" — which looks identical — is U+0430. To every human who reads them, they are the same. To every computer system that processes them, they are completely different.
This gap between human perception and machine reality is the attack surface. An attacker who registers a domain using Cyrillic characters where Latin characters would normally appear creates a URL that looks genuine to any human who glances at it, passes basic visual inspection in email clients and browsers, and is technically a different domain that the attacker controls entirely.
Standard email security filters work by comparing domains against known malicious lists and checking for exact string matches. A filter looking for "google.com" will not flag "gооgle.com" — because they are not the same string. The filter was never told to look for that domain. It has never been reported as malicious. It may have been registered hours ago specifically for this attack. It passes every rule-based check.
SPF, DKIM, and DMARC — the email authentication protocols that prevent spoofing of exact domains — provide no protection here. The attacker is not spoofing the legitimate domain. They are sending from their own domain, which they legitimately control, which legitimately passes authentication checks. The problem is not that the email is technically unauthorized. The problem is that it looks authorized to every human who reads it.
Palo Alto Networks Unit 42 documented this in the wild: In real homograph attacks observed by their threat detection team, emails bypassed natural language detection systems because the manipulated words — though appearing identical to legitimate ones — did not match the strings the filters were trained to flag. A filter looking for "Support Message Center" will not catch "Suррогt Меѕѕаgе Сеntеr" even though both look identical on screen.
A homoglyph-enabled BEC attack is not a random mass email campaign. It is a targeted, researched, patient operation. The attacker invests time before sending a single email. Understanding the full sequence reveals how many opportunities exist to detect and stop it — and how few organizations take advantage of them.
BEC has always required social engineering skill — crafting a convincing email that sounds like a specific person, uses the right terminology, and triggers action without raising suspicion. That skill was once a limiting factor. Generating thousands of personalized, contextually accurate, grammatically perfect fraud emails required human effort and local language expertise. Generative AI eliminated that constraint entirely.
By mid-2024, an estimated 40% of BEC phishing emails were AI-generated. The Microsoft MDDR 2025 report found that AI-generated phishing emails achieve an average click rate of 54% — compared to 12% for manually crafted campaigns. The improvement in click rates is not marginal. It is transformational. AI can analyze a target's email history, mimic their writing style, reference ongoing business relationships, and produce output that is indistinguishable from a genuine message.
The combination of AI-generated content with homoglyph domains is particularly dangerous. The domain provides the visual deception. The AI provides the textual authenticity. A recipient who knows to look for grammatical errors, unusual phrasing, or requests that feel slightly off — the traditional indicators of phishing — finds none of them.
New hire targeting: Research from LevelBlue SpiderLabs found a significant increase in BEC attacks targeting newly hired employees specifically. New hires are unfamiliar with their colleagues' roles, personalities, and communication styles — making them unable to recognize inconsistencies that an experienced employee might catch. A new accounts payable clerk receiving an urgent wire transfer request from what appears to be the CFO has no baseline to compare against. The homoglyph domain looks correct. The email sounds correct. They process the payment.
| Control | What It Does | Priority | Cost |
|---|---|---|---|
| Out-of-band transfer verification — mandatory callback to verified number for all wires above threshold | Stops BEC regardless of how convincing the email — attacker cannot intercept a phone call to a known number | Critical | $0 — process change |
| DMARC enforcement — p=reject policy on all company domains | Prevents exact domain spoofing; required by PCI DSS v4.0 as of March 2025 | Critical | Low — configuration |
| Unicode-aware email security — Proofpoint, Mimecast, or Microsoft Defender configured for homoglyph detection | Flags emails from domains containing mixed-script characters or confusable lookalikes | Critical | Included in enterprise tiers |
| Always display full email address — configure Outlook / email client to show domain alongside display name | Removes the hiding place behind friendly names; forces visual domain verification | High | $0 — configuration |
| Proactive homoglyph monitoring — DNSTwist or similar scanning for lookalike domain registrations | Early warning before an attack campaign launches; detects preparation phase | High | Free tools available |
| BEC-specific awareness training — scenario training on payment redirect requests, vendor banking change requests | The human layer; employees who know the pattern are the last defense when technology fails | High | Training investment |
| Network-level homoglyph detection — DNS log and HTTP log analysis for punycode and mixed-script domains | Catches homoglyph domains that employees are communicating with in real time; feeds into SOC alerting. Implemented in zeek_triage.py | High | Free — open source |
The homoglyph detection function added to zeek_triage.py scans both HTTP and DNS logs for domains containing non-ASCII characters or Punycode encoding — the technical representation of internationalized domain names. A domain like xn--pple-43d.com is the Punycode representation of a domain using Cyrillic characters that visually resembles "apple.com." Any occurrence in network logs is flagged with the decoded domain, the source and destination IPs, and the attack classification.
NIST 800-171 mapping: BEC prevention maps to multiple CMMC controls. Control 3.14.2 (malicious code protection) covers email security gateway deployment. Control 3.2.2 (security awareness) covers BEC-specific training. Control 3.5.3 (multifactor authentication) reduces the impact of credential compromise that enables conversation hijacking. Control 3.6.1 (incident response) covers the immediate action required when a fraudulent transfer is discovered — time to contact the financial institution is measured in minutes, not hours.
Type any domain below to check whether it contains Unicode homoglyphs — non-Latin characters substituted to impersonate a legitimate domain. Try typing a domain with Cyrillic or Greek characters, or paste a suspicious domain from an email you received.
This tool runs entirely in your browser. No domain is transmitted anywhere. For bulk scanning of DNS logs, the homoglyph detection function is implemented in zeek_triage.py.
What makes Business Email Compromise uniquely dangerous is the asymmetry. The attacker's cost is a domain registration — under $15 — and a few hours of research. The victim's cost, when the attack succeeds, averages $24,586 per wire transfer. For larger organizations, individual BEC incidents have exceeded $50 million. The FBI describes the cumulative ten-year loss of $55.5 billion as staggering. It is not the result of sophisticated nation-state hacking. It is the result of emails that looked like they came from someone they didn't.
The homoglyph technique is not new — it was first documented in 2001 — but it has become significantly more dangerous as AI removes the skill barrier from social engineering and as internationalized domain names expand the available character set for deception. The defenses exist. Out-of-band verification stops BEC unconditionally. Unicode-aware email security catches what rule-based filters miss. Proactive domain monitoring detects the preparation phase before a single email is sent.
The gap between available defense and actual deployment is not technical. Organizations know BEC exists. The FBI has issued repeated public warnings. The defenses are documented, inexpensive, and effective. The gap is organizational — the same gap that left Stryker's admin accounts without MFA, the same gap that left defense contractor development environments without Unicode scanners. Awareness without action is not security.
If you receive a request to change banking details or initiate a wire transfer by email: Stop. Pick up the phone. Call the requestor at a number you already have — not a number provided in the email. Confirm the request verbally. This single step, applied consistently, makes BEC economically unviable regardless of how convincing the email appears. It costs nothing. It works every time.
All statistics in this report are sourced from publicly available data including the FBI IC3 2024 Annual Report, Palo Alto Networks Unit 42 threat research, LevelBlue SpiderLabs BEC trend analysis, AFP 2025 Fraud and Control Survey, and Microsoft Digital Crimes Unit reporting. This report represents the author's independent analysis for educational purposes.
Yana Ivanov is a security analyst and CMMC compliance consultant based in Connecticut, specializing in cybersecurity risk assessment for defense contractors in the Connecticut defense industrial base. With 15 years of enterprise technology experience and an MS in Information Systems, she brings a practitioner perspective to threat intelligence analysis. She is currently pursuing CompTIA Security+ and CMMC Registered Practitioner certification, with a focus on helping defense supply chain companies achieve genuine — not checkbox — security compliance. This analysis was produced independently as a contribution to the security community's understanding of active threats against US defense infrastructure.