Business Email Compromise Statistics 2025

Business Email Compromise (BEC) continues to be one of the most financially damaging cyber threats in 2025.

Business email compromise attacks accounted for 73% of all reported cyber incidents in 2024.

Below, we'll look at the essential business email compromise statistics and major trends that organizations needs to know.

To get a full breakdown of 2025's key phishing insights and benchmarks, you can deep-dive into our Phishing Trends Report - packed with original Hoxhunt data.

‍

What you need to know about BEC attacks

Business Email Compromise (BEC) is a financially-driven cyber threat where criminals target existing business relationships.

These attackers impersonate trusted contacts or organizations to manipulate victims into making unauthorized financial transfers.

Perpetrators may alter legitimate invoices or create convincing forgeries.

And in some cases, these scams involve the actual compromise of email accounts to increase authenticity and effectiveness of the fraudulent communications.

As we navigate through 2025, the threat landscape is seeing an alarming trend in BEC attacks - with evolving tactics and increased targeting of specific industries.

‍

Key BEC statistics for 2025

Threat actors mostly target businesses

Our Phishing Trends Report analyzed 386,000 real, malicious emails...

Approximately 66% of phishing attempts focused on organizational resources, primarily employing credential theft techniques and fake billing documents.

The remaining 34% targeted personal information, particularly financial data, with attackers frequently disguising themselves as delivery services or banking institutions.

Whilst bad actors are targeting businesses for the most part, our data here at Hoxhunt showed there was actually a small jump in personal email attacks during the latter half of 2024.

While the exact causes for these shifting patterns remain speculative, the targeting of individuals during summer months suggests attackers strategically adapted their campaigns to coincide with vacation periods.

BEC attacks are growing in volume and effectiveness

• Research shows a 30% increase in BEC attacks as of March 2025.
• BEC attacks are the second most expensive type of breach, costing an average of $4.89 million.
• One report found a 13% increase in BEC attacks in just the first 3 months of 2025, with a notable rise in gift card-related emails.
• BEC attacks make up more than 50% of all social engineering incidents.
• Even organizations with fewer than 1,000 employees have a 70% weekly probability of experiencing at least one BEC attack.
• The average BEC wire transfer request was $24,586 at the start of 2025.
• Verizon’s data also shows that pretexting (the tactic at the heart of BEC) nearly doubled in frequency last year.

Tactics and techniques and evolving

• Generative AI is making BEC lures more convincing and easier to create. By mid-2024, an estimated 40% of BEC phishing emails were AI-generated.
• Gift card scams are one of the most common social engineering tactics. In Q1 of 2024 alone, 37.9% of BEC incidents were gift card schemes.​
• These gift card schemes rely on lower dollar amounts and high volumes of successful attacks.
• Nearly 29% of BEC attacks in early 2024 were advance-fee fraud scams.
• A growing number of BEC now involves compromising trusted third-party vendor email addresses to insert fraudulent payment instructions. Vendor Email Compromise (VEC) attacks rose 66% over the first half of 2024 with attackers exploiting supply chain relationships.

Industry-specific targeting

All sectors are affected: Overall, an estimated 70% of organizations have been targeted by at least one BEC attack.

However some industries are targeted more than others.

Most targeted industries:

1. Manufacturing (27%)
2. Energy (23%)
3. Retail (10%)
4. Utilities (7%)
5. Real Estate (6%)

Source: VIPRE

Company size targeting:

• Largest organizations (50,000+ employees): have nearly a 100% chance of experiencing at least one BEC attack per week, making them the highest risk.
• Organizations with 1,000+ employees: face an 83% to 97% chance of being targeted by BEC each week.
• Smaller organizations (fewer than 1,000 employees): still have a 70% weekly probability of experiencing a BEC attack.
• This shows that all organizations, regardless of size, are at risk of business email compromise.

Source: Abnormal Security

‍

Analysis: what do the current BEC trends tell us?

Advanced impersonation techniques are on the rise

The sophistication of BEC attacks has reached unprecedented levels in 2025.

Our own data from real reported attacks tells us that malicious actors are using increasingly advanced tech to create convincing impersonations.

• BEC criminals excel at pretexting – they impersonate CEOs, CFOs, other executives, or external partners/suppliers. In over 60% of phishing emails, attackers impersonate a well-known brand or entity to exploit existing trust.
• Many BEC emails alter the display name to pose as a high-ranking person - this was observed in 36% of BEC emails in one study.
• Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives.
• Attackers are now using AI tools to polish their BEC messages. By Q2 2024, about 40% of BEC phishing emails were being flagged as AI-generated content.

Geographic trends in BEC attacks

The landscape of BEC attacks shows interesting geographic patterns:

• United States: remains a hotspot for BEC – largely because of the volume of business conducted and the tendency to report incidents. BEC cyber attacks resulted in reported losses totaling approximately $2.9 billion, with an average loss per incident of $137,000
• Australia: BEC attacks have increased by 7% year-on-year, slightly above the global average.
• Europe: experienced a remarkable 123.8% increase in BEC attacks in April 2024 compared to April 2023.

‍

Case studies: Notable BEC incidents

Zamora Business Fraud

Overview

In December 2024, two companies in Zamora, Spain, were targeted in a BEC attack that led to significant financial losses.

The perpetrators exploited existing business relationships to execute the scam.​

What happened?

Cybercriminals intercepted and altered email communications between the two companies, modifying invoices to include fraudulent banking details.

As a result, payments intended for legitimate services were diverted to accounts controlled by the attackers.

Costs

The total amount defrauded was €19,952.90, with €16,838.18 subsequently recovered. Seven individuals from Málaga were investigated in connection with the fraud.

Source: Cadena SER

Australian corporate account breaches

Overview

In 2024, Australian businesses experienced a notable increase in BEC attacks, with cybercriminals leveraging advanced technologies and social engineering techniques to deceive corporate entities.​

What happened?

Attackers invested months developing sophisticated schemes, often using AI to imitate emails from corporate partners and managers.

These AI-generated phishing scams targeted corporate executives, utilizing advanced technology to craft highly personalized and convincing fraudulent emails.

Companies like Beazley and eBay reported an uptick in such cyber crimes, which often used AI to gather extensive personal data from online profiles.

AI bots mimicked the tone and style of a company or individual, creating tailored phishing campaigns that were more likely to succeed.

Costs

While specific financial losses were not disclosed, it is estimated that businesses collectively lost approximately $2.9 billion annually due to such scams.

Smaller businesses, lacking robust cybersecurity measures, were particularly vulnerable.

Source: The Australian

Orion Chemical Manufacturing

Overview

One of the most significant BEC incidents of 2024 occurred at Orion, a Luxembourg-headquartered chemical manufacturing company.

In August 2024, the company revealed in a filing to the US Securities and Exchange Commission (SEC) that it had lost $60 million in a sophisticated business email compromise attack.

What happened?

The attack targeted a non-executive employee who was tricked into transferring funds to third-party accounts controlled by unknown attackers.

According to Orion's SEC filing dated August 12, 2024, the company determined that "a Company employee, who is not a Named Executive Officer, was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties".

Costs

The company reported that it was working with law enforcement to pursue recovery of the funds through all legally available means, including potentially available insurance coverage.

Fortunately, there was no evidence that the attackers gained unauthorized access to company systems or data beyond the specific BEC attack.

Source: Infosecurity Magazine

‍

The psychology behind BEC attacks

Sources: Dark Reading, The National Law Review

‍

Effectiveness of social engineering techniques

Authority & “CEO fraud”

Employees tend to comply with requests from top executives.

Attackers know that an email appearing to be from a CEO or CFO carries weight - people are reluctant to question it.

This authority bias leads targets to act quickly even if a request is odd​.

New employees after often targeted in their first 2-7 weeks, with phishing emails impersonating top executives like the CEO and CFO. 

But even well-trained staff can be caught off-guard by a convincingly worded note from their company’s leader.

A U.S. subsidiary of a European energy firm was hit by a clever BEC attack that combined authority, urgency, and artificial intelligence back in 2019.

The CEO of the parent company supposedly called the subsidiary’s finance chief urgently requesting a transfer of funds for a secret acquisition.

The twist: the voice on the phone sounded exactly like the CEO – but it was actually a deepfake.

Believing his boss truly needed quick help, the victim wired €220,000.

Urgency & fear

Creating a false crisis or deadline makes victims far more likely to respond without due diligence.

Scammers often create urgency combined with a sense of fear (missing a payment, upsetting the CEO, losing a deal) to get the victim to act immediately.

This fear of negative impact, combined with very little time to think, causes people to bypass normal checks.

The prevalence of urgent wording in phishing shows it works – attackers wouldn’t consistently use it if it didn’t yield results.

By compressing the decision time, attackers prevent targets from consulting others or noticing red flags, greatly increasing their success rate.

Trust (vendor/partner impersonation)

Posing as a known vendor or colleague is extremely effective because it lowers the victim’s guard.

If an accounts payable clerk receives an email from a supplier they regularly pay, asking to update bank details or pay an overdue invoice, it appears routine.

Organizations that have strict verification for unusual CEO requests might not apply the same scrutiny to what looks like a normal vendor transaction.

This has enabled very large frauds.

As one example of the trust tactic’s success: Google and Facebook lost over $100 million collectively to a scammer who simply sent them invoices impersonating a real hardware supplier they used.

Because the requests matched ongoing business relationships, employees didn’t blink before paying.

Modern BEC campaigns now use real compromised email accounts to carry out fraud because a message from a real account is most convincing.

In 2023 alone vendor email compromise attacks were up 137%, and most likely saw a similar increase in 2024.

‍

Evolution of BEC tactics: what's changed?

Generative AI is creating more polished, personalized emails

2023 saw threat actors embrace generative AI tools to enhance BEC campaigns.

This has led to a massive surge in BEC volume – a 1,760% year-over-year increase in BEC attacks.

Since the popularisation of generative AI tools, BEC has gone from being only 1% of all cyber attacks in 2022 to 18.6% of all attacks.

​Now, in 2025, we’re seeing BEC emails that are nearly indistinguishable from genuine business correspondence in language and formatting, making them harder for busy employees to spot.

Sophisticated payment diversion schemes

BEC groups have refined their methods.

Attackers now often attempt to intercept or redirect real pending payments.

For example, they might insert themselves into a vendor conversation and ask the company to pay an “outstanding invoice” to a new bank account.

Direct wire transfer requests now only account for around 4% of BEC cash-out attempts.

Multi-channel social engineering & deepfakes

We’re now starting to see more blended attacks where an email sets up a phone call, or a text message preys on urgency.

The use of AI voice clones and video deepfakes is still relatively rare but growing.

As the technology becomes more accessible, high-value BEC targets may face extremely convincing impostors via Zoom/Teams or voicemail.

Globalization and scale

BEC is no longer a boutique crime – it’s industrializing.

Services on the dark web now sell BEC-as-a-Service kits (pre-made email templates, fake personas, etc.), and criminal groups share techniques for bypassing security (like using localized/residential IP addresses to avoid geolocation-based fraud detection)

‍

Regulatory and insurance landscape for BEC in 2025

Regulatory developments security leaders should know

U.S. regulations

• PCI DSS v4.0: Organizations processing payment cards must implement DMARC email authentication by March 31, 2025, facing penalties for non-compliance.
• Mandatory DMARC Enforcement (Email Providers): Email providers (e.g., Google, Yahoo) enforce DMARC for high-volume email senders starting from 2024-2025, significantly reducing spoofed emails that drive BEC attacks.
• MFA Standards (U.S. Government Agencies): U.S. government mandates adoption of phishing-resistant MFA for email and critical systems by 2024-2025 under the Federal Zero Trust strategy to combat credential-based BEC attacks.

Global regulations

• EU NIS2 Directive (Effective Late 2024 onward): EU entities must report significant cybersecurity incidents (including severe BEC attacks) within 24 hours, risking fines of up to €10 million for non-compliance.
• EU DORA Regulation (Effective 2025): Requires European financial institutions to strengthen cybersecurity around third-party communications, directly impacting defenses against BEC.
• UK NCSC Guidelines (2024-2025): Updated guidance urges UK businesses to adopt stronger anti-BEC practices such as mandatory DMARC, multi-factor authentication (MFA), regular employee training, and defined incident response plans.

Changes to wider cybersecurity standards

• Mandatory email authentication (DMARC/SPF/DKIM): DMARC has moved from best-practice to mandatory requirement in 2025, significantly reducing spoofed BEC emails.
• MFA adoption: MFA is now an industry-standard cybersecurity requirement in frameworks like NIST and ISO 27001 to protect against email account compromises facilitating BEC attacks.
• Better employee security training: Frequent phishing simulations and mandatory employee awareness training have become standard requirements by regulatory authorities (FFIEC, NY DFS) and cybersecurity frameworks to combat BEC threats.
• Formal incident response protocols: Organizations are widely adopting mandatory verification processes (callbacks, dual-approval) for payment requests, reducing successful BEC fraud attempts

Cyber insurance trends

• Continued high premiums and strict underwriting: Cyber insurance premiums remain elevated due to frequent BEC-related claims. Insurers require robust anti-BEC security measures (MFA, DMARC, verified payment processes) for policy eligibility. Organizations lacking these defenses typically face significantly higher premiums or reduced coverage.
• Limited BEC coverage: Standard cyber policies increasingly exclude or limit BEC coverage unless a specific "Social Engineering Fraud" endorsement is purchased.
• Increased selectivity by insurers: Cyber insurers now closely evaluate cybersecurity defenses during underwriting, requiring documented evidence of BEC protections (email authentication, MFA, employee training) as prerequisites for comprehensive coverage.

‍

Business email compromise prevention strategies

Email authentication (DMARC/SPF/DKIM)

Implementing email authentication protocols helps prevent spoofed domains and can flag imposter emails.

DMARC in particular allows a domain to tell receivers how to handle unauthenticated mail purporting to be from that domain (e.g. reject or quarantine).

Adoption of DMARC is growing – one analysis found overall DMARC adoption rose from 43% to 54% of senders in 2024​.

However, enforcement remains an issue.

Many organizations only monitor DMARC rather than enforce rejection.

In some industries only about 1 in 5 organizations have strict DMARC enforcement in place​.

Email security filters

Modern secure email gateways and cloud email security tools use AI and pattern detection to catch BEC attempts.

Some solutions can detect when an email’s display name matches an executive but originates from the wrong domain, alerting the recipient.

Others sandbox any links (in case BEC crosses into phishing for credentials).

While these technologies aren’t perfect, they have some success in reducing how many malicious emails reach inboxes.

Strict verification protocols

Regardless of the technology you're using, establishing business process controls is crucial.

Implement policies to verify any request for funds or sensitive data through a second channel.

If an email requests a wire transfer, require a verbal confirmation via phone with the supposed requester or other approval steps.

This simple 'trusted callback' procedure has foiled countless BEC attempts.

Multi-factor authentication (MFA)

Enabling MFA on email accounts (and other key accounts) helps prevent the account compromise aspect of BEC.

If attackers can’t actually breach your executives’ email accounts due to MFA, they are forced to rely on spoofing alone (which is easier to catch).

Wider MFA adoption is making a real difference...

In 2023, 58% of BEC attacks targeted organizations without MFA in place.

But by Q1 2024 only 25% of BEC attacks hit orgs lacking MFA​.

This suggests many companies secured their accounts with MFA, which meant attackers had a harder time – likely shifting tactics.

Incident response and recovery

Despite best efforts, some BEC attempts may succeed.

So, it’s essential to have an incident response plan for fraudulent transfer events.

In many cases, if the victim or bank acts quickly, funds can be frozen or recalled.

In fact, over 50% of BEC victims were able to recover at least 82% of their stolen money.​

This is likely due to rapid reporting – when banks and law enforcement (like the FBI) are alerted in time, they can often work to claw back the money before it disappears offshore.

Human-centered security: training & awareness

Since BEC preys on human behavior, changing employee behavior is essential if you want to reduce the likelihood of a successful BEC threat.

Regular security awareness training and phishing simulations can dramatically improve employees’ ability to spot and report BEC attempts.

According to our own data here at Hoxhunt, phishing risk can be measurably reduced when phishing training is based on behavior.

Employees can be trained to recognize and report social engineering attacks with a 6x improvement in 6 months, and reduce the number of phishing incidents per organization by 86%.​

‍

How Hoxhunt measurably reduces human risk

Hoxhunt goes beyond security awareness training to drive real, tangible behavior change.

Data breaches start with people, so Hoxhunt does too.

We combine AI and behavioral science to create personalized, adaptive phishing training that employees genuinely engage with and enjoy.

Boost engagement with gamification

Encourage secure behaviors with gamified awareness and micro-trainings that minimize disruption and proactively fill employees' skill gaps.

Personalization at scale

Our platform delivers personalized learning experiences that adapt to each employee's skill level, creating sustainable security behaviors rather than just compliance checkboxes.

Realistic phishing simulations

Practice makes perfect.

Our simulations mirror real-world threats, teaching employees to recognize and report sophisticated phishing attempts before they become breaches.

Track your success with powerful dashboards

Gain actionable insights into your security posture with comprehensive analytics that demonstrate ROI and help identify areas for improvement.

Does this approach actually help reduce risk?

Well, take a look at the results for yourself...

When employees are trained to spot simulated phishing emails, you'll start to see more reports of real-life threats too...

And percentage of users who report real threats will improves over time.

Real threat detection improvement of Hoxhunt-trained users:

• 0 Months in training: 13%
• 1 Month in training: 26%
• 2 Months in training: 34%
• 6 Months in training: 50%
• 12 Months in training: 64%
• 24 Months in training: 71%

We tend to see that 1/2 of employees will report a real threat 6 months into training.

And 2/3 of employees will report a real threat within one year of training.

‍

_Sources

^{Eye Security - BEC Incidents Surge in 2024 Driving Up Insurance Costs
‍Surefire Cyber - BEC Trends and Changes in Root Point of Compromise
‍IBM - Business Email Compromise
‍Fortra - BEC Global Insights Reports (January & February 2025), Top 5 Takeaways from Fortra’s 2023 BEC Report
‍Secureframe - Data Breach Statistics
‍Abnormal Security - BEC and VEC Attack Trends
‍SC World - AI-generated Emails Make Up 40% of BEC Lures
‍APWG - Phishing Trends Report Q1 2024
‍Security Boulevard - Gift Cards Requested in Two-Thirds of BEC Attacks
‍Perception Point - Cyber Attacks Surge in H1 2024, GenAI Drives 1760% Surge in BEC Attacks, EU NIS2 Directive: Key Facts
‍Arctic Wolf - Why Business Email Compromise is More Popular Than Ever
‍VIPRE Security - Q3 2024 Email Threat Report
‍The SSL Store - Business Email Compromise Statistics
‍The Australian - Scammers Targeting Lucrative Corporate Accounts
‍Cadena SER - BEC Scam Targets Companies in Zamora, Spain
‍Infosecurity Magazine - Manufacturing Loses $60M to BEC
‍Dark Reading - BEC: Impersonation the Weapon of Choice, Deepfake Audio Scores $35 Million in Corporate Heist, Time to Get Strict with DMARC
‍National Law Review - Impersonation Most Prolific Phishing Tactic in 2024
‍AutoSPF - Impersonation as Leading Phishing Strategy of 2024
‍Reuters - Lithuanian Pleads Guilty to Massive Fraud Against Google and Facebook
‍Tripwire - Business Email Compromise Statistics
‍Microsoft - Shifting Tactics Fuel Surge in Business Email Compromise
‍The Hacker News - PCI DSS 4.0 Mandates DMARC by March 31, 2025
‍Mimecast - Guide to Google DMARC Setup
‍Beyond Encryption - UK Business Email Compromise Guidance
‍Email on Acid - Importance of a Strong DMARC Policy
‍Cobalt.io - Top Cybersecurity Statistics for 2025
‍Verizon - 2023 Data Breach Investigations Report (DBIR)}