‘Business Email Compromise (BEC) remains a serious and rapidly evolving cyber threat for organisations in 2026. Cyber criminals are increasingly adopting so-called “dual-channel” attack methods, using more than one communication medium to deceive a single target. By pairing emails with phone calls, SMS messages and instant messaging apps, fraudsters are making fake instructions appear more credible and urgent.
Cyber security experts say the shift reflects stronger email security controls adopted by many organisations. As technical defences improve, criminals are relying less on a single channel and more on coordinated pressure across multiple platforms, exploiting human trust and urgency to succeed.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
What are dual-channel BEC attacks
In traditional BEC schemes, criminals gain access to—or impersonate—a legitimate business email account to trick employees, finance teams or business partners into transferring money or sharing sensitive information. Dual-channel attacks take this a step further.
Typically, a fraudulent email demanding an “urgent payment” is followed almost immediately by a phone call, SMS or WhatsApp message that appears to confirm the request. In some cases, the order is reversed: a phone call establishes context first, followed by an email providing written “instructions”. The use of two channels together reassures the victim that the request is genuine.
Why the threat is growing
Researchers and investigators say criminals are making extensive use of data obtained from breaches and social media. Information about job roles, reporting structures, supplier relationships and internal workflows helps attackers craft messages that look routine and legitimate.
Voice-over-internet-protocol (VoIP) services and disposable phone numbers allow fraudsters to hide their identities while operating at scale. At the same time, generative artificial intelligence tools are being used to create more convincing emails and call scripts, lowering the skill barrier and increasing the effectiveness of scams.
Sectors most at risk
BEC attacks can affect organisations of any size, but some sectors face higher exposure. Real estate, legal services, manufacturing and healthcare are particularly vulnerable because of frequent time-sensitive payments and third-party transactions.
Attackers often target finance teams, accounts payable departments and senior executives, where pressure to act quickly can override verification checks. In supplier fraud cases, criminals impersonate vendors and request changes to bank account details, reinforcing the deception with follow-up calls or messages.
Financial losses remain severe
Despite years of awareness campaigns, BEC continues to be among the most financially damaging cyber crimes. Losses in many cases run into crores of rupees, and recovery becomes extremely difficult if transactions are not reported immediately.
Experts warn that dual-channel tactics make detection harder because employees may treat confirmation through a second channel as proof of legitimacy. In reality, both channels are controlled by the attacker.
Why existing defences fall short
Many organisations still rely heavily on technical email security while underestimating the social engineering aspect of BEC. Multi-factor authentication and email filtering reduce the risk of account compromise, but they do not fully prevent impersonation or fraudulent communications from external accounts.
Without strict verification processes for payment requests and changes to financial details, organisations remain exposed to increasingly sophisticated scams.
Research and expert warning
According to research by Future Crime Research Foundation, dual-channel attacks are making BEC more organised and dangerous by combining technology with psychological pressure.
Former IPS officer and noted cyber crime expert Professor Triveni Singh warns that urgent payment demands or unusually sensitive requests are always red flags. When the same instruction arrives through two different channels, he says, it should trigger extra verification rather than blind acceptance.
What organisations can do
Cyber security specialists recommend a layered defence strategy. Key measures include mandatory out-of-band verification for payment requests, strict controls on changes to supplier bank details, and clear escalation procedures for unusual or urgent demands.
Regular staff training, simulated phishing and social-engineering exercises, and a “verify first, pay later” culture are considered critical steps to counter BEC threats in 2026.
Security experts caution that dual-channel BEC attacks are likely to become the norm rather than the exception. In this environment, vigilance, procedural discipline and a strong verification culture will be more important than ever.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
