LEGALAUDIT

Scam Watch

How can you recognize LLM written BEC email — perfect grammar across languages, no telltale typos?

TLDR

Threat actors use ChatGPT / Claude / local LLMs to write Business Email Compromise lures in flawless English, Italian, German, French, Mandarin etc. Removes the historical 'broken grammar' filter. Tells: 1) tone is templated formal but...

How it works

Threat actors use ChatGPT / Claude / local LLMs to write Business Email Compromise lures in flawless English, Italian, German, French, Mandarin etc. Removes the historical 'broken grammar' filter. Tells: 1) tone is templated formal but...

Red flags

  • Urgent pressure to click, pay, or share codes immediately.
  • A link or sender that does not match the official organization.
  • Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What to do

  1. 1true vendor email which carries a reply chain); 3) uses generic urgency phrasing ('please action ASAP', 'before end of day'); 4) requests change of payment details with no operational reason; 5) signature block exactly matches public email signature scraped from LinkedIn.
  2. 2DO: verify any payment change via callback to a number you held BEFORE the email; deploy DMARC + display name spoofing controls + LLM detection at the gateway.

Source

Microsoft-Digital-Defense-Report-2024

Source reviewed by Mythos Forensic Team

https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2024

FAQ

Is LLM written BEC email — perfect grammar across languages, no telltale typos a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What should I do first?

true vendor email which carries a reply chain); 3) uses generic urgency phrasing ('please action ASAP', 'before end of day'); 4) requests change of payment details with no operational reason; 5) signature block exactly matches public email signature scraped from LinkedIn.; DO: verify any payment change via callback to a number you held BEFORE the email; deploy DMARC + display name spoofing controls + LLM detection at the gateway.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.