New Phishing Service ARToken Makes Business Email Compromise Easier: What You Need to Know

If you run a small business or handle email communications at work, you’ve probably heard about phishing attacks. But there’s a more targeted and costly variant called business email compromise (BEC) that scammers have been refining for years. Now, a new phishing-as-a-service platform called ARToken is making these sophisticated attacks available to nearly anyone willing to pay.

Here’s what ARToken is, how it works, and – most importantly – what you can do to protect yourself and your organization.

What happened

In early July 2026, cybersecurity news outlet SC Media reported the emergence of ARToken, a service designed specifically for BEC attacks. BEC attacks involve impersonating a trusted person – often a CEO, vendor, or business partner – to trick an employee into sending money or sensitive data.

ARToken operates as a “phishing-as-a-service” platform, meaning criminals don’t need deep technical skills to use it. According to the report, the platform automates several stages of an attack:

  • Reconnaissance: It scans public information about a target organization to identify who key employees are, how they communicate, and what internal processes look like.
  • Spoofing: It can create convincing email addresses that appear to come from a legitimate domain, often using slight misspellings or lookalike domains.
  • Automated campaign management: Attackers can launch and track BEC campaigns without manual effort.

This is not a theoretical threat. Reports from the FBI and other agencies consistently rank BEC among the costliest types of cybercrime, with billions of dollars lost annually.

Why it matters now

ARToken lowers the barrier for criminals. Before services like this, carrying out a convincing BEC attack required a fair amount of research and manual effort. Now, an attacker can input a company name and have the platform do the background work. That means more organizations – including small businesses that often lack dedicated security teams – are likely to face these attacks.

The platform also increases the sophistication of the emails. Instead of generic phishing attempts, targets may receive messages that reference real employees, current projects, or even internal jargon. That makes it harder to spot a fake.

What you can do to defend against BEC attacks

While ARToken makes the attacker’s job easier, the fundamentals of defense remain the same. Here are practical steps for both individuals and businesses:

1. Implement email authentication protocols. Three standards – SPF, DKIM, and DMARC – help prevent attackers from spoofing your domain. If you haven’t set them up, talk to your IT provider or domain host. DMARC is especially important because it tells receiving email servers what to do with messages that fail authentication (e.g., reject or quarantine). Many free and low-cost tools can help configure these records.

2. Verify unusual requests by phone. BEC attacks often rely on a sense of urgency – “I need you to wire this payment immediately” or “Please send the employee W-2s right now.” If you get an email requesting money, gift cards, or sensitive data, pause and call the person using a number you know is correct, not one from the email signature. A quick phone call can stop a fraud in its tracks.

3. Look for red flags in the email itself. Attackers using ARToken may still leave clues:

  • Slight domain variations (e.g., your-company.com vs. your-company.net)
  • Language oddities (even with automation, phrasing can feel off)
  • Requests that bypass normal approval processes
  • Emails from a known contact but with a new, unexpected request

4. Train employees regularly. A one-time security training isn’t enough. Brief, periodic reminders about BEC scams – perhaps a monthly email or a short department meeting – keep the threat top of mind. Encourage staff to report suspicious emails, even if they clicked something they shouldn’t have.

5. Enable advanced email security features. If your email provider offers anti-phishing filters, machine learning detection, or sandboxing for attachments, use them. Many business-grade email services include these features. For small businesses on a tight budget, even free options like Google Workspace or Microsoft 365 have built-in protections that can catch many BEC attempts.

Stay vigilant

ARToken is a reminder that cybercriminals are continuing to professionalize their operations. The best defense is not expensive software but consistent, simple habits: verify before you act, distrust urgency, and secure your email domain.

For more details on ARToken itself, see the original reporting from SC Media (published July 1, 2026). And if you’re responsible for email security in your organization, now is a good time to review your DMARC policy and talk to your team about how to handle unexpected payment requests.

Sources: SC Media, “New phishing-as-a-service platform ARToken offers advanced BEC capabilities,” July 2026. Additional context from FBI IC3 annual reports on BEC losses.