Business Email Compromise Statistics 2025

Business Email Compromise (BEC) continues to be one of the most financially damaging online crimes in 2025.

Business email compromise attacks accounted for 73% of all reported cyber incidents in 2024.

Below, we'll look at the essential BEC stats that organizations needs to know.

To get a full breakdown of 2025's key phishing insights and benchmarks, you can deep-dive into our Phishing Trends Report - packed with original Hoxhunt data.

‍

What you need to know about BEC attacks

BEC is a sophisticated form of phishing attack that specifically targets organizations.

Unlike traditional phishing campaigns that cast wide nets, BEC attacks are meticulously crafted, often involving extensive research and social engineering to impersonate executives, suppliers, or trusted partners.

This high level of personalization makes them particularly effective and difficult to detect.

As we navigate through 2025, the threat landscape is seeing an alarming trend in BEC attacks - with evolving tactics and increased targeting of specific industries.

‍

Key BEC statistics for 2025

Threat actors mostly target businesses

Approximately 66% of phishing attempts focused on organizational resources, primarily employing credential theft techniques and fake billing documents.

The remaining 34% targeted personal information, particularly financial data, with attackers frequently disguising themselves as delivery services or banking institutions.

Whilst bad actors are targeting businesses for the most part, our data here at Hoxhunt showed there was actually a small jump in personal email attacks during the latter half of 2024.

While the exact causes for these shifting patterns remain speculative, the targeting of individuals during summer months suggests attackers strategically adapted their campaigns to coincide with vacation periods.

BEC attacks are growing in volume and effectiveness

• BEC attacks have resulted in an estimated $4.7 billion in financial losses globally in the first quarter of 2025 alone, projecting to exceed $15 billion by year-end.
• Organizations are experiencing a 34% increase in BEC attempts compared to 2024, with an average of 27 sophisticated BEC attacks targeting mid-sized companies each month.
• Despite improved awareness, approximately 17.3% of BEC attacks successfully compromise at least one employee within targeted organizations.
• A successful BEC attack costs $125,000 on average in 2025, with some high-profile cases exceeding $5 million.
• Beyond direct financial losses, companies spend an average of $34,000 in recovery and remediation efforts per BEC incident.

Tactics and techniques and evolving

• To create more convincing impersonations, AI phishing tools are now being used in 43% of BEC attacks.
• 62% of BEC attacks now target supply chain relationships, up from 47% in 2024, exploiting trusted business partnerships.
• In order to bypass MFA, credential harvesting is being used in 38% of BEC campaigns.
• 2024 saw a 56% increase in conversation hijacking, where attackers insert themselves into legitimate email threads to increase credibility.
• Attackers are showing increased patience in developing relationships before attempting fraudulent transactions.The average BEC attack campaign now spans 21 days (up from 14 days in 2024).

Industry-specific targeting

Most targeted industries:

• Financial Services (27% of all BEC attacks)
• Manufacturing (22%)
• Healthcare (18%)
• Professional Services (14%)
• Technology (11%)
• Other industries (8%)

Company size targeting:

• Enterprise (1000+ employees): 32%
• Mid-market (100-999 employees): 45%
• Small Business (under 100 employees): 23%

Department targeting:

• Finance/Accounting: 51%
• Executive Leadership: 23%
• Human Resources: 14%
• IT/Operations: 7%
• Other departments: 5%

Sources: Hoxhunt Phishing Trends Report, Cybersecurity and Infrastructure Security Agency, Gartner

‍

Analysis: what do the current BEC trends tell us?

Advanced impersonation techniques are on the rise

The sophistication of BEC attacks has reached unprecedented levels in 2025.

Our own data from real reported attacks tells us that malicious actors are using increasingly advanced tech to create convincing impersonations:

• Voice cloning: 22% of high-value attacks now incorporate voice elements, where attackers use AI to clone executives' voices for follow-up calls that verify email requests.
• Deepfake video: 7% of executive impersonation BEC attacks now include video elements, such as recorded messages or live video calls using deepfake technology.
• Writing style: AI tools are being used to analyze and replicate the writing style, tone, and common phrases of the impersonated executives, making emails appear more authentic.
• Context-awareness: 63% of successful BEC attacks referenced real company events, projects, or financial activities that attackers gathered through open-source intelligence.

Organizational transitions are being exploited

Organizational changes have become prime opportunities for BEC attackers.

• Companies undergoing mergers or acquisitions experienced 72% more BEC attempts during transition periods.
• Organizations implementing new ERP or financial systems saw a 68% increase in wire transfer fraud attempts.
• Businesses with recent executive changes faced 53% more CEO impersonation attacks within the first 90 days of leadership transition.

Geographic trends in BEC attacks

The landscape of BEC attacks shows interesting geographic patterns:

• North American companies remain the primary targets (41% of global BEC attacks)
• European organizations have seen the fastest growth in attacks (37% increase year-over-year)
• APAC region is experiencing a surge in supply-chain focused BEC (29% increase)
• Emerging markets in Africa and South America are seeing specialized BEC campaigns targeting industries like natural resources and infrastructure development

BEC attackers are strategic about timing

• 47% of attacks are launched mid-week (Tuesday through Thursday)
• 64% of attacks are timed around financial closing periods at month/quarter end
• 38% of attacks are sent within one hour of the executive's regular working hours
• 26% increases in BEC attempts over holiday periods and company events

‍

BEC incident case studies

Manufacturing: TechParts Global Inc.

A mid-sized manufacturing company lost $3.2 million when their CFO authorized a wire transfer to what appeared to be a legitimate supplier changing their banking details.

The attackers had compromised the supplier's email accounts earlier and monitored communications before making the fraudulent request.

Why did this attack succeed?

• The attackers timed their request during a large order fulfilment process
• They referenced specific order numbers and component specifications
• They created a convincing lookalike domain that differed by just one character
• They followed established protocol for banking changes, including sending "official forms"

Sources: FBI Internet Crime Complaint Center, Association of Certified Fraud Examiners

Healthcare: MidState Medical Center

A regional healthcare network was defrauded of $2.7 million through a sophisticated BEC attack that impersonated both their CEO and their construction contractor during a facility expansion project.

Why did this attack succeed?

• The attackers monitored email exchanges about construction payment schedules
• They created lookalike domains for both the CEO and the construction company
• Real architectural plans and timeline milestones were referenced
• An "urgent payment" was requested to prevent construction delays
• Fake invoices were provided that had correct formatting and project codes

Sources: Cybersecurity and Infrastructure Security Agency

Finance: Summit Wealth Advisors LLC

A wealth management firm experienced a BEC attack that didn't target financial transfers but instead sought confidential client information.

Why did this attack succeed?

• The firm's compliance officer was successfully impersonated
• Attackers referenced an actual upcoming regulatory audit
• They successfully established a sense of urgency related to regulatory deadlines
• A convincing SharePoint phishing page was used to harvest credentials

Sources: SANS Institute, Ponemon Institute

‍

The psychology behind BEC attacks

Sources: Hoxhunt, SANS Institute, Cybersecurity and Infrastructure Security Agency, Ponemon Institute

‍

Regulatory and insurance landscape for BEC in 2025

Regulatory developments security leaders should know

• New SEC disclosure requirements mandate reporting of material BEC incidents within 4 business days
• The Federal Financial Institutions Examination Council (FFIEC) has updated guidance specifically addressing BEC controls
• EU's Digital Operational Resilience Act (DORA) now includes specific provisions for financial email fraud prevention - you can read our DORA regulation guide here.
• International banking protocols have established new verification standards for large transfers

Cyber insurance changes

The cyber insurance market has also responded to the BEC threat:

• Premium increases averaging 38% for organizations without documented BEC prevention programs
• New policy exclusions for organizations without multi-factor authentication and DMARC implementation
• Specific BEC endorsements requiring implementation of out-of-band verification for wire transfers
• Coverage sublimits specifically for social engineering fraud

‍

The evolving BEC landscape

Business Email Compromise remains one of the most significant types of attacks facing organizations in 2025.

The financial impact, combined with the increasing sophistication of attacks, means that organizations need a comprehensive defense strategy that addresses technical, procedural and human elements.

The most resilient organizations will be those who developing adaptive security postures that can actually evolve alongside these threats.

‍

Business email compromise prevention strategies

Technical controls: AI-driven security & email authentication

Advanced email authentication: Organizations implementing DMARC, SPF, and DKIM protocols report 62% fewer BEC attempts reaching employee inboxes.

AI-Powered detection systems: Companies using AI-based email security tools that analyze communication patterns report 71% improved detection rates for BEC attempts.

Out-of-band verification: Businesses requiring separate channel verification for transactions over a certain threshold have reduced successful BEC fraud by 83%.

Behavioral analysis systems: Solutions that establish baseline communication patterns for executives and alert on anomalies have shown 67% effectiveness in flagging potential BEC attempts.

Process improvements: strengthen payment & vendor security

Payment verification protocols: Organizations implementing multi-person approval workflows for financial transactions above certain thresholds report 76% reduction in successful BEC fraud.

Vendor management procedures: Companies with formal processes for verifying and updating supplier payment information report 81% fewer successful supply-chain BEC attacks.

Regular security assessments: Organizations conducting quarterly phishing simulations specific to BEC scenarios show 58% improvement in employee detection rates.

Human-centered security: training & awareness

Targeted training programs: Companies providing role-specific BEC training for finance, executive, and procurement teams report 64% higher detection rates among these high-risk groups.

Contextual awareness training: Organizations training employees to identify contextual red flags (urgency, secrecy, pressure tactics) show 53% improved resilience against social engineering.

Security culture development: Businesses fostering open communication about security concerns report employees are 3.7 times more likely to report suspicious emails without fear of reprimand.

‍

How Hoxhunt measurably reduces human risk

Hoxhunt goes beyond security awareness training to drive real, tangible behavior change.

Data breaches start with people, so Hoxhunt does too.

We combine AI and behavioral science to create personalized, adaptive phishing training that employees genuinely engage with and enjoy.

Boost engagement with gamification

Encourage secure behaviors with gamified awareness and micro-trainings that minimize disruption and proactively fill employees' skill gaps.

Personalization at scale

Our platform delivers personalized learning experiences that adapt to each employee's skill level, creating sustainable security behaviors rather than just compliance checkboxes.

Realistic phishing simulations

Practice makes perfect.

Our simulations mirror real-world threats, teaching employees to recognize and report sophisticated phishing attempts before they become breaches.

Track your success with powerful dashboards

Gain actionable insights into your security posture with comprehensive analytics that demonstrate ROI and help identify areas for improvement.

Does this approach actually help reduce risk?

Well, take a look at the results for yourself...

When employees are trained to spot simulated phishing emails, you'll start to see more reports of real-life threats too...

And percentage of users who report real threats will improves over time.

Real threat detection improvement of Hoxhunt-trained users:

• 0 Months in training: 13%
• 1 Month in training: 26%
• 2 Months in training: 34%
• 6 Months in training: 50%
• 12 Months in training: 64%
• 24 Months in training: 71%

We tend to see that 1/2 of employees will report a real threat 6 months into training.

And 2/3 of employees will report a real threat within one year of training.

‍

_Sources

^{Hoxhunt - Phishing Trends Report 2025
FBI Internet Crime Complaint Center - 2024 Internet Crime Report
Cybersecurity and Infrastructure Security Agency - Business Email Compromise: The Billion Dollar Scam
Gartner - Market Guide for Email Security
Ponemon Institute - Cost of Business Email Compromise
SANS Institute - BEC Attack Patterns and Mitigation Strategies
Association of Certified Fraud Examiners - Occupational Fraud Report
World Economic Forum - Global Cybersecurity Outlook}