20 Business Email Compromise Statistics 2025

Business Email Compromise (BEC) is one of the most financially damaging cyber threats facing organizations today. These attacks involve fraudsters impersonating trusted contacts, such as executives, suppliers, or internal staff, to trick employees into sending payments or confidential information.

BEC scams have become increasingly sophisticated, often slipping past traditional email security filters and targeting finance and accounts payable teams. As outlined in our guide to protecting your business from BEC attacks, the financial and reputational risks can be significant.

To help you stay informed and proactive, here are the key statistics that illustrate the scale and impact of BEC worldwide.

Author’s Top Picks

  • $6.7 billion was lost globally to BEC, making it the costliest cybercrime.
  • 1 in 10 email attacks involved BEC tactics.

Business email compromise stats

1. $6.7 billion was lost globally to BEC, making it the costliest cybercrime.

It accounted for the majority of total cyber-enabled financial losses.

2. $1.38 billion was the estimated value of the global BEC market in 2023.

It’s projected to grow at a CAGR of 22.4% through 2030.

3. $1.99 billion is the projected size of the North American BEC market by 2030.

This growth is driven by increasing demand for prevention tools.

4. 19.8% is the expected CAGR of the North American BEC market from 2024 to 2030.

Reflecting significant growth in the region.

5. 1 in 10 email attacks involved BEC tactics.

BEC has become a staple method in email-based fraud.

6. 40% of BEC emails were found to be AI-generated.

Reflecting the growing sophistication of cyberattacks.

7. 94% of organizations experienced phishing attacks in 2024.

BEC was a frequent method used to exploit business email.

8. 70% increase in conversation hijacking attacks tied to BEC.

Scammers are increasingly infiltrating real email threads.

9. 67% of BEC attacks originated from free webmail services.

Attackers commonly use services like Gmail to spoof identities.

10. 13% increase in BEC attacks was observed in February 2025 alone.

Indicating a short-term surge in attack frequency.

BEC statistics

11. $2.9 billion in losses were reported in the U.S. due to BEC in 2023.

This makes it the second-costliest type of cybercrime reported.

This underscores the financial burden on insured organizations.

13. $261,000 was the average loss per BEC incident in the healthcare sector.

Healthcare was the hardest-hit industry by average cost.

14. $487,000 was the average business interruption cost for SMEs hit by BEC.

For large businesses, disruption costs exceeded $26 million.

15. $137,000+ was the average loss per BEC incident in the U.S.

This reflects the scale of damage from individual scams.

16. $43,000+ was the average amount requested in BEC wire transfer scams.

This reflects the common payout target per incident.

FBI BEC statistics

17. $55.5 billion in exposed losses were attributed to BEC scams globally.

This figure comes from law enforcement and financial institution reports worldwide.

This marks a continued year-over-year increase.

This figure includes both domestic and international incidents.

20. 305,000+ BEC incidents have been reported across industries and sectors.

These include cases in business, government, healthcare, and education.

FAQs

Business Email Compromise, or BEC, is a cybercrime where attackers impersonate someone trusted, like a company executive or vendor, to trick employees into sending money or confidential information. It usually happens over email and can be hard to detect.

Phishing often involves mass emails with generic messages. BEC is much more targeted. Attackers research their victims, monitor conversations, and sometimes gain access to real email accounts to make their messages appear legitimate.

Employees responsible for payments or sensitive communications are common targets. This includes finance teams, executives, and anyone who works with external vendors. Smaller businesses can be especially vulnerable if they don’t have strong security practices in place.

Red flags include urgent payment requests, last-minute changes to banking details, unusual timing (such as emails sent after hours), or email addresses that are slightly altered. The tone of the message may also feel out of place, even if the sender appears familiar.

Always verify changes to payment information through a separate communication method, like a phone call. Train employees to recognize suspicious behavior, and implement email security tools such as SPF, DKIM, and DMARC. Introducing multi-step approval for financial transactions also adds protection.

Respond immediately. Contact your bank to attempt to stop or reverse the payment. Report the incident to the appropriate cybercrime authority. In the United States, that would be the FBI’s Internet Crime Complaint Center (IC3). Acting quickly increases the chance of recovering funds.

Because they rely on trust. The emails often use real names, reference actual business processes, and appear to come from legitimate sources. This makes them difficult to detect, especially when they don’t contain typical scam indicators.

CFO guide
Cybersecurity Guide for CFOs 2025
Download the free guide to protect your finance function from today’s top cyber threats.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.