Business Email Compromise: The $2.8 Billion Threat to Your Company

Published 2026-02-05 by TechNet New England

According to the FBI's IC3 2024 Annual Report, Business Email Compromise (BEC) was the second most costly cybercrime type, causing nearly $2.8 billion in losses in the United States. BEC attacks accounted for 73% of all reported cyber incidents in 2024.

What Is Business Email Compromise?

BEC attacks involve criminals impersonating trusted parties - executives, vendors, partners, or employees - to trick victims into transferring money or revealing sensitive information. Unlike phishing attacks that cast wide nets, BEC attacks are targeted and researched.

Attackers may spend weeks studying their targets, learning organizational structure, communication patterns, and business relationships. The resulting messages are often indistinguishable from legitimate business correspondence.

Attack Volume and Trends

Security researchers observed a 1,760% year-over-year increase in BEC attacks. Since the popularization of generative AI tools, BEC has grown from just 1% of all cyber attacks in 2022 to 18.6% of all attacks.

By mid-2024, an estimated 40% of BEC phishing emails were AI-generated. In a 2025 academic study, AI-crafted phishing emails achieved 54% click rates compared to 12% for human-written ones.

Common BEC Scenarios

CEO Fraud

Attackers impersonate executives and request urgent wire transfers from finance staff. The requests typically involve time pressure and secrecy.

Vendor Email Compromise

Criminals compromise or impersonate vendor accounts and send fraudulent invoices with updated payment information. VEC attacks rose 66% over the first half of 2024.

Gift Card Schemes

In Q1 2024, 37.9% of BEC incidents were gift card schemes. Attackers impersonate managers and request employees purchase gift cards for "client gifts" or "employee rewards."

Payroll Diversion

Attackers impersonate employees and request HR update direct deposit information, redirecting paychecks to attacker-controlled accounts.

Financial Impact

• The average BEC wire transfer request was $24,586 at the start of 2025
• The average successful BEC transaction is $157,000
• 79% of companies have faced at least one BEC attack in one year
• 63% of organizations experienced BEC in 2024 according to AFP surveys

Why BEC Succeeds

BEC attacks exploit trust and process gaps rather than technical vulnerabilities:

• Employees trust messages that appear to come from colleagues
• Time pressure prevents verification
• Wire transfers are difficult to reverse
• Organizations lack verification procedures for payment changes

Protection Measures

1. Verification procedures - Require out-of-band verification for wire transfers and payment changes
2. Email authentication - Implement DMARC, DKIM, and SPF to prevent domain spoofing
3. Security awareness - Train employees to recognize BEC tactics
4. Multi-person approval - Require multiple approvals for large transactions
5. Account protection - Enable MFA on all email accounts to prevent compromise

TechNet New England can help implement email security controls and employee training to reduce BEC risk.

Sources: FBI IC3 2024 Annual Report, Hoxhunt BEC Statistics, Eftsure BEC Statistics 2025