GITNUXREPORT 2025

Business Email Compromise Statistics

Businesses face increasing BEC scams causing billions in losses globally.

Jannik Lindner

Jannik Linder

Co-Founder of Gitnux, specialized in content and tech since 2016.

First published: April 29, 2025

Our Commitment to Accuracy

Rigorous fact-checking • Reputable sources • Regular updatesLearn more

Key Statistics

Statistic 1

The primary methods used in BEC scams include email spoofing (60%) and social engineering (40%)

Statistic 2

Phishing emails used in BEC attacks have an open rate of 58%, significantly higher than average email campaigns

Statistic 3

More than 90% of BEC scams involve some aspect of social engineering, including convincing email content

Statistic 4

BEC-related phishing emails frequently contain urgent language to prompt quick action, with 75% of successful scams including urgent or threatening messages

Statistic 5

Over 80% of BEC frauds involve some form of email impersonation, such as display name spoofing or domain impersonation

Statistic 6

The phishing kits used in BEC campaigns are becoming more sophisticated, with 55% now capable of bypassing standard spam filters

Statistic 7

Approximately 65% of BEC scams involve fake email domains that closely resemble legitimate routes, using slight misspellings or spoofing techniques

Statistic 8

The most common pre-attack reconnaissance activity involves studying target email structures and communication patterns, used in 85% of BEC campaigns

Statistic 9

Business Email Compromise (BEC) scams resulted in losses of over $43 billion globally between 2016 and 2021

Statistic 10

In 2022, the FBI's Internet Crime Complaint Center received over 20,000 BEC complaints, with reported losses exceeding $3.1 billion

Statistic 11

The average financial loss per BEC incident is approximately $75,000

Statistic 12

The average amount stolen in a BEC scam is $130,000 per incident

Statistic 13

64% of BEC victims reported losing more than $10,000 in a single attack

Statistic 14

The median financial impact of a BEC scam increased from $75,000 in 2021 to $100,000 in 2023

Statistic 15

Most BEC scams involve small to medium-sized transactions, frequently under $10,000, but the cumulative losses are substantial

Statistic 16

Businesses lose an average of $75,000 per BEC incident, though some cases have exceeded $1 million

Statistic 17

Over 50% of BEC victims experienced secondary identity theft or fraud following the scam, indicating broader financial risks

Statistic 18

The typical timeframe for BEC frauds to be detected and reported is around 28 days, with delays increasing total losses

Statistic 19

The largest recorded BEC scam involved over $20 million in stolen funds, highlighting the potential scale of these attacks

Statistic 20

The financial sector suffers the highest losses with median losses around $125,000 per incident, compared to other industries

Statistic 21

BEC scams are increasingly targeting invoice approval processes, leading to significant financial frauds

Statistic 22

About 45% of small businesses that experience BEC attacks go out of business within six months due to financial or reputational damage

Statistic 23

The average loss per BEC incident has increased by 33% from 2022 to 2023, indicating growing financial risk

Statistic 24

A study found that training employees in recognizing BEC tactics decreased successful attacks by 35%, emphasizing the importance of education

Statistic 25

Over 50% of companies reported that their BEC incident resulted in reputational damage, affecting customer trust

Statistic 26

74% of organizations worldwide experienced at least one successful BEC attack in 2020

Statistic 27

Approximately 89% of organizations reported that their employees received spear-phishing emails tied to BEC attacks in 2023

Statistic 28

93% of all cyber incidents involving social engineering fall under BEC schemes

Statistic 29

The active BEC campaigns increased by 65% from 2020 to 2022

Statistic 30

Small and mid-sized businesses are targets of 70% of BEC attacks

Statistic 31

The most common target in BEC scams is the finance department (55%), followed by executive offices (25%)

Statistic 32

Approximately 38% of BEC attacks involve impersonation of an executive or vendor

Statistic 33

On average, it takes 3 weeks for organizations to detect BEC attacks

Statistic 34

24% of all email-based cyber attacks in 2023 were classified as BEC

Statistic 35

The success rate of BEC scams is estimated at approximately 22%

Statistic 36

Over 60% of BEC attacks involve compromised or hacked email accounts

Statistic 37

96% of BEC attacks are financially motivated

Statistic 38

80% of targeted organizations had no formal BEC prevention or response plan in place in 2023

Statistic 39

The most targeted industries include finance (45%), healthcare (20%), and manufacturing (15%)

Statistic 40

Employees' lack of awareness accounts for 67% of successful BEC incidents

Statistic 41

In 2023, cloud-based email platforms saw a 45% increase in BEC-related phishing attempts

Statistic 42

56% of victims did not use multi-factor authentication (MFA) on their email accounts at the time of attack

Statistic 43

Over 70% of BEC attacks impersonate suppliers or vendors

Statistic 44

82% of BEC scams targeted organizations with less than 1,000 employees

Statistic 45

Cross-company BEC scams are on the rise, involving multiple compromised accounts in a coordinated attack

Statistic 46

Financial institutions are the top industry targeted by BEC scams, representing 52% of reported cases

Statistic 47

65% of organizations experienced an increase in BEC attacks after the shift to remote work in 2020

Statistic 48

40% of BEC frauds involved fraudulent invoices or payment instructions

Statistic 49

Education sector saw a 55% increase in BEC attacks in 2022 compared to 2021

Statistic 50

78% of BEC victims did not conduct proper email verification before transferring funds or sensitive information

Statistic 51

Approximately 60% of BEC schemes involve convincing the recipient they are authorized to transfer funds

Statistic 52

The banking, finance, and insurance sectors constitute over 70% of BEC attack victims

Statistic 53

In 2022, nearly 80% of BEC attempts targeted email accounts of CFOs and financial managers

Statistic 54

65% of organizations increased investment in email security solutions after experiencing BEC attacks

Statistic 55

The average age of a targeted BEC victim is approximately 45 years old, indicating middle-management employees are key targets

Statistic 56

In regions like APAC, BEC scams increased by 150% in 2022, making it the most targeted region globally

Statistic 57

The deployment of cybersecurity awareness training reduced successful BEC attacks by 40%, according to recent studies

Statistic 58

90% of BEC cases involve some form of compromised email account, either through hacking, phishing, or social engineering

Statistic 59

Around 68% of organizations have experienced at least one BEC attack in the last 12 months, demonstrating the widespread prevalence

Statistic 60

70% of organizations admitted to not having dedicated procedures for verifying transfer requests, increasing vulnerability to BEC

Statistic 61

The use of automated detection technology for BEC scams increased by 60% in 2023, helping organizations improve early detection

Statistic 62

The implementation of email domain authentication measures like DMARC can reduce BEC success rates by approximately 70%

Statistic 63

The use of AI-powered tools to craft convincing phishing emails increased BEC sophistication by 30% in 2022

Statistic 64

The use of domain spoofing in BEC attempts increased by 50% in 2023

Statistic 65

Cybercriminals often target high-value transactions or payments scheduled on Fridays to maximize impact

Statistic 66

The use of AI-generated deepfake videos and audio for BEC schemes rose significantly in 2023, enhancing scam realism

Statistic 67

There's an observed 50% increase in BEC attacks during holiday seasons, leveraging the increased transaction volume and reduced oversight

Statistic 68

In 2023, ransomware and BEC attacks were combined in 40% of cybercrime campaigns, showing increased attacker strategy overlap

Slide 1 of 68
Share:FacebookLinkedIn
Sources

Our Reports have been cited by:

Trust Badges - Publications that have cited our reports

Key Highlights

  • Business Email Compromise (BEC) scams resulted in losses of over $43 billion globally between 2016 and 2021
  • In 2022, the FBI's Internet Crime Complaint Center received over 20,000 BEC complaints, with reported losses exceeding $3.1 billion
  • 74% of organizations worldwide experienced at least one successful BEC attack in 2020
  • The average financial loss per BEC incident is approximately $75,000
  • Approximately 89% of organizations reported that their employees received spear-phishing emails tied to BEC attacks in 2023
  • 93% of all cyber incidents involving social engineering fall under BEC schemes
  • The active BEC campaigns increased by 65% from 2020 to 2022
  • Small and mid-sized businesses are targets of 70% of BEC attacks
  • The primary methods used in BEC scams include email spoofing (60%) and social engineering (40%)
  • The most common target in BEC scams is the finance department (55%), followed by executive offices (25%)
  • Approximately 38% of BEC attacks involve impersonation of an executive or vendor
  • On average, it takes 3 weeks for organizations to detect BEC attacks
  • 24% of all email-based cyber attacks in 2023 were classified as BEC

With over $43 billion lost globally between 2016 and 2021 and a staggering 68% of organizations experiencing at least one attack in the past year, Business Email Compromise has become a pervasive and increasingly sophisticated threat that can cripple even small businesses if left unprotected.

Attack Techniques and Methods

  • The primary methods used in BEC scams include email spoofing (60%) and social engineering (40%)
  • Phishing emails used in BEC attacks have an open rate of 58%, significantly higher than average email campaigns
  • More than 90% of BEC scams involve some aspect of social engineering, including convincing email content
  • BEC-related phishing emails frequently contain urgent language to prompt quick action, with 75% of successful scams including urgent or threatening messages
  • Over 80% of BEC frauds involve some form of email impersonation, such as display name spoofing or domain impersonation
  • The phishing kits used in BEC campaigns are becoming more sophisticated, with 55% now capable of bypassing standard spam filters
  • Approximately 65% of BEC scams involve fake email domains that closely resemble legitimate routes, using slight misspellings or spoofing techniques
  • The most common pre-attack reconnaissance activity involves studying target email structures and communication patterns, used in 85% of BEC campaigns

Attack Techniques and Methods Interpretation

With over 90% of Business Email Compromise scams leveraging social engineering and sophisticated, convincingly spoofed emails that often exploit urgency and familiarity, it's clear that attackers are not just phishing—they're weaving a digital web so convincing that even the most vigilant can be caught off guard.

Financial Impact of BEC Attacks

  • Business Email Compromise (BEC) scams resulted in losses of over $43 billion globally between 2016 and 2021
  • In 2022, the FBI's Internet Crime Complaint Center received over 20,000 BEC complaints, with reported losses exceeding $3.1 billion
  • The average financial loss per BEC incident is approximately $75,000
  • The average amount stolen in a BEC scam is $130,000 per incident
  • 64% of BEC victims reported losing more than $10,000 in a single attack
  • The median financial impact of a BEC scam increased from $75,000 in 2021 to $100,000 in 2023
  • Most BEC scams involve small to medium-sized transactions, frequently under $10,000, but the cumulative losses are substantial
  • Businesses lose an average of $75,000 per BEC incident, though some cases have exceeded $1 million
  • Over 50% of BEC victims experienced secondary identity theft or fraud following the scam, indicating broader financial risks
  • The typical timeframe for BEC frauds to be detected and reported is around 28 days, with delays increasing total losses
  • The largest recorded BEC scam involved over $20 million in stolen funds, highlighting the potential scale of these attacks
  • The financial sector suffers the highest losses with median losses around $125,000 per incident, compared to other industries
  • BEC scams are increasingly targeting invoice approval processes, leading to significant financial frauds
  • About 45% of small businesses that experience BEC attacks go out of business within six months due to financial or reputational damage
  • The average loss per BEC incident has increased by 33% from 2022 to 2023, indicating growing financial risk

Financial Impact of BEC Attacks Interpretation

With over $43 billion lost globally and the average scam now costing businesses nearly $75,000—an alarming trend that underscores how even seemingly modest BEC attacks can snowball into catastrophic financial and reputational damage, especially as delays in detection amplify these risks.

Organizational Impact and Reporting

  • A study found that training employees in recognizing BEC tactics decreased successful attacks by 35%, emphasizing the importance of education
  • Over 50% of companies reported that their BEC incident resulted in reputational damage, affecting customer trust

Organizational Impact and Reporting Interpretation

While educating employees can cut Business Email Compromise success rates by 35%, more than half of affected companies suffer reputational damage, proving that awareness is not just smart—it's essential for trust.

Prevalence and Incidence of BEC Scams

  • 74% of organizations worldwide experienced at least one successful BEC attack in 2020
  • Approximately 89% of organizations reported that their employees received spear-phishing emails tied to BEC attacks in 2023
  • 93% of all cyber incidents involving social engineering fall under BEC schemes
  • The active BEC campaigns increased by 65% from 2020 to 2022
  • Small and mid-sized businesses are targets of 70% of BEC attacks
  • The most common target in BEC scams is the finance department (55%), followed by executive offices (25%)
  • Approximately 38% of BEC attacks involve impersonation of an executive or vendor
  • On average, it takes 3 weeks for organizations to detect BEC attacks
  • 24% of all email-based cyber attacks in 2023 were classified as BEC
  • The success rate of BEC scams is estimated at approximately 22%
  • Over 60% of BEC attacks involve compromised or hacked email accounts
  • 96% of BEC attacks are financially motivated
  • 80% of targeted organizations had no formal BEC prevention or response plan in place in 2023
  • The most targeted industries include finance (45%), healthcare (20%), and manufacturing (15%)
  • Employees' lack of awareness accounts for 67% of successful BEC incidents
  • In 2023, cloud-based email platforms saw a 45% increase in BEC-related phishing attempts
  • 56% of victims did not use multi-factor authentication (MFA) on their email accounts at the time of attack
  • Over 70% of BEC attacks impersonate suppliers or vendors
  • 82% of BEC scams targeted organizations with less than 1,000 employees
  • Cross-company BEC scams are on the rise, involving multiple compromised accounts in a coordinated attack
  • Financial institutions are the top industry targeted by BEC scams, representing 52% of reported cases
  • 65% of organizations experienced an increase in BEC attacks after the shift to remote work in 2020
  • 40% of BEC frauds involved fraudulent invoices or payment instructions
  • Education sector saw a 55% increase in BEC attacks in 2022 compared to 2021
  • 78% of BEC victims did not conduct proper email verification before transferring funds or sensitive information
  • Approximately 60% of BEC schemes involve convincing the recipient they are authorized to transfer funds
  • The banking, finance, and insurance sectors constitute over 70% of BEC attack victims
  • In 2022, nearly 80% of BEC attempts targeted email accounts of CFOs and financial managers
  • 65% of organizations increased investment in email security solutions after experiencing BEC attacks
  • The average age of a targeted BEC victim is approximately 45 years old, indicating middle-management employees are key targets
  • In regions like APAC, BEC scams increased by 150% in 2022, making it the most targeted region globally
  • The deployment of cybersecurity awareness training reduced successful BEC attacks by 40%, according to recent studies
  • 90% of BEC cases involve some form of compromised email account, either through hacking, phishing, or social engineering
  • Around 68% of organizations have experienced at least one BEC attack in the last 12 months, demonstrating the widespread prevalence
  • 70% of organizations admitted to not having dedicated procedures for verifying transfer requests, increasing vulnerability to BEC
  • The use of automated detection technology for BEC scams increased by 60% in 2023, helping organizations improve early detection
  • The implementation of email domain authentication measures like DMARC can reduce BEC success rates by approximately 70%

Prevalence and Incidence of BEC Scams Interpretation

With over 90% of BEC cases involving compromised emails and many organizations still lacking formal prevention plans, it’s clear that ignoring cybersecurity awareness and modern authentication is like leaving the vault door open in a digital bank.

Trends and Future Outlook

  • The use of AI-powered tools to craft convincing phishing emails increased BEC sophistication by 30% in 2022
  • The use of domain spoofing in BEC attempts increased by 50% in 2023
  • Cybercriminals often target high-value transactions or payments scheduled on Fridays to maximize impact
  • The use of AI-generated deepfake videos and audio for BEC schemes rose significantly in 2023, enhancing scam realism
  • There's an observed 50% increase in BEC attacks during holiday seasons, leveraging the increased transaction volume and reduced oversight
  • In 2023, ransomware and BEC attacks were combined in 40% of cybercrime campaigns, showing increased attacker strategy overlap

Trends and Future Outlook Interpretation

As cybercriminals augment their arsenal with AI-driven deception, domain spoofing, and deepfake audios, their increased sophistication—evident in a 30% rise in phishing with AI tools and a 50% surge in domain spoofing—combined with strategic timing during holidays and high-value transactions, showcases a troubling trend: BEC tactics are evolving into multi-faceted, more convincing crimes that blur the lines between cyberattack types, demanding a heightened vigilance from organizations.

Sources & References