While Business Email Compromise may seem like a distant threat, the staggering reality is that this single cybercrime has drained over $50 billion globally since 2016, with losses still climbing every year.
Key Takeaways
- BEC scams resulted in $2.9 billion in losses in 2022
- Global BEC losses exceeded $43 billion from 2016 to 2021
- Average BEC loss per incident was $120,000 in 2021
- Over 19,000 BEC complaints in 2021
- BEC complaints increased 3.5% from 2020 to 2021
- 21,381 BEC complaints reported to IC3 in 2022
- Real estate leads BEC complaints at 34%
- 70% of BEC victims are businesses with 1-100 employees
- Finance sector reports 20% of BEC losses
- 76% of BEC uses compromised legitimate accounts
- 85% of BEC involves social engineering
- Email spoofing in 60% of BEC attacks
- 96% of organizations use MFA but BEC succeeds via fatigue
- Only 14% of BEC funds recovered globally
- Training reduces BEC success by 70%
BEC causes billions in losses as a leading business cyber threat.
Financial Impact
- BEC scams resulted in $2.9 billion in losses in 2022
- Global BEC losses exceeded $43 billion from 2016 to 2021
- Average BEC loss per incident was $120,000 in 2021
- BEC accounted for 20% of all cybercrime losses in 2022
- US businesses lost $1.86 billion to BEC in 2021
- Median BEC loss was $100,000 for wire transfer fraud in 2022
- BEC losses in real estate sector topped $500 million in 2022
- Over 21,000 BEC complaints led to $2.7 billion losses in 2020
- BEC wire transfers averaged $145,000 per victim in 2019
- International BEC losses reached $1.8 billion in 2022
- BEC caused $1.82 billion US losses in 2019
- Average BEC payroll scam loss was $40,000 in 2021
- BEC losses grew 7% from 2021 to 2022
- 83% of BEC losses from wire transfers in 2022
- BEC false invoice scams averaged $21,000 loss in 2022
- Total BEC losses since 2016 exceed $50 billion globally
- US BEC losses hit $43 million in Q1 2023 alone
- BEC accounted for $6.2 billion in global losses over 4 years
- Average BEC loss for US victims was $89,000 in 2020
- BEC spear-phishing losses averaged $200,000 per incident
- BEC caused 65% of financial fraud losses in 2022
- BEC scams caused $1.7 billion losses in 2018
- Average BEC loss reached $75,000 in 2020
- BEC payroll scams cost $798 million in 2022
- BEC losses $4.2B in 2023 projection
Financial Impact Interpretation
Business Email Compromise has perfected the art of swindling billions with the simplicity of a well-crafted lie, proving that the most sophisticated cybercrime often arrives dressed as an urgent, believable email from your boss.
Prevalence
- Over 19,000 BEC complaints in 2021
- BEC complaints increased 3.5% from 2020 to 2021
- 21,381 BEC complaints reported to IC3 in 2022
- BEC represented 1.7% of all IC3 cyber complaints in 2022
- Global BEC incidents rose 65% in 2021
- 15,000+ BEC incidents in US in 2019
- BEC scams targeted 98% of US organizations in 2022
- 1 in 10 organizations hit by BEC annually
- BEC incidents doubled from 2018 to 2019
- Over 12,000 BEC complaints in 2018
- BEC prevalence up 11% year-over-year in 2023
- 91% of BEC attacks use email as vector
- BEC scams reported in 150+ countries
- 3,700% increase in BEC since 2015
- Weekly BEC attempts average 300 per organization
- BEC in 80% of ransomware precursors
- 22,000 BEC complaints in 2023 first half
- BEC growth rate 15% annually since 2016
- SMEs report 40% of BEC incidents
- BEC attacks every 11 seconds globally
- 32% of breaches involve BEC tactics
- 17,000 BEC complaints in 2020
- BEC up 100% from 2016 to 2022
- 50% orgs face BEC quarterly
- 18,000+ BEC cases 2023 H1
Prevalence Interpretation
While the staggering 3,700% rise in Business Email Compromise since 2015 suggests cybercriminals have found a devastatingly profitable formula, the fact that a BEC attempt now strikes somewhere globally every 11 seconds means your inbox is quite literally on the clock.
Response
- 96% of organizations use MFA but BEC succeeds via fatigue
- Only 14% of BEC funds recovered globally
- Training reduces BEC success by 70%
- DMARC adoption cuts BEC by 50%
- 65% of BEC detected post-transfer
- AI detection flags 80% BEC emails
- Employee reporting stops 40% potential BEC
- Financial training lowers BEC risk 60%
- 85% BEC preventable with verification protocols
- EDR blocks 90% account takeovers
- Phishing sims reduce clicks by 55%
- 20% BEC stopped by email gateways
- Multi-factor fatigue exploited in 25% failures
- Incident response time averages 2 weeks for BEC
- 75% orgs lack BEC-specific policies
- BEC losses drop 40% with wire approval processes
- Training cuts BEC 90% in mature orgs
- DMARC stops 60% spoofing
- 30% BEC caught by users
- AI blocks 85% anomalous emails
- Verification dual-signoff prevents 70%
- 50% recovery with quick reporting
- Phishing tests reduce risk 65%
- Gateways filter 25% BEC
- Avg detection 72 hours
- 60% lack recovery plans
- 40% orgs no BEC training
Response Interpretation
These statistics reveal a frustrating truth: while we've built a formidable shield against BEC with tools like MFA, DMARC, and AI, our most sophisticated security layer—the employee—remains simultaneously our greatest vulnerability and our most powerful defense, depending entirely on how well we train and support them.
Tactics
- 76% of BEC uses compromised legitimate accounts
- 85% of BEC involves social engineering
- Email spoofing in 60% of BEC attacks
- MFA bypass via phishing in 40% BEC cases
- Vendor email compromise in 15% of incidents
- 92% of BEC relies on urgency in emails
- Account takeover primary in 50% BEC
- CEO fraud variant in 22% of attacks
- Malware-free BEC in 98% cases
- Conversation hijacking in 30% BEC threads
- 70% BEC from Nigeria-based actors
- Display name spoofing used in 45% attacks
- QR code phishing in rising 10% BEC variants
- 65% BEC targets finance departments
- Zero-day exploits rare, <1% in BEC
- Email compromise in 88% BEC
- 50% BEC uses business process compromise
- Urgency tactics in 95% emails
- West Africa origin 60% BEC
- 35% BEC via data from breaches
- Fake attachments rare, 2% BEC
- 78% ATO via phishing
- 25% BEC via mobile compromise
Tactics Interpretation
The modern BEC criminal is a pragmatic con artist who rarely bothers with complex malware or zero-days, instead simply hijacking the authority of a legitimate account through a blend of social engineering, urgency, and a shocking amount of coffee-spilling panic to trick finance departments into paying West African-based actors.
Victims
- Real estate leads BEC complaints at 34%
- 70% of BEC victims are businesses with 1-100 employees
- Finance sector reports 20% of BEC losses
- 43% of BEC targets are in manufacturing
- Non-profits saw 15% BEC complaint increase in 2022
- 60% of BEC victims recover no funds
- Education sector BEC losses up 300% in 2021
- 25% of BEC victims are government entities
- SMEs comprise 82% of BEC victims
- Retail industry 12% of BEC complaints
- 90% of BEC victims are US-based companies
- Healthcare BEC incidents rose 50% in 2022
- Law firms represent 9% of BEC targets
- 35% of victims lose over $100K in single BEC attack
- Construction firms 18% of BEC losses
- Construction 23% of BEC victims
- 55% BEC targets executives
- Finance pros hit in 40% BEC
- HR departments 15% BEC targets
- 80% victims under 500 employees
- Tech sector 10% BEC complaints
- Energy sector 8% victims
Victims Interpretation
Here is a one-sentence interpretation that weaves in key themes from your statistics: While small and mid-sized businesses often view their size as a shield, this data starkly reveals they are actually the preferred and most vulnerable prey for BEC scammers, with devastating success rates that spare few sectors from crippling financial hits.
Sources & References
- Reference 1IC3ic3.govVisit source
- Reference 2FBIfbi.govVisit source
- Reference 3HELPNETSECURITYhelpnetsecurity.comVisit source
- Reference 4VERIZONverizon.comVisit source
- Reference 5PROOFPOINTproofpoint.comVisit source
- Reference 6FTCftc.govVisit source
- Reference 7KNOWBE4knowbe4.comVisit source
- Reference 8CROWDSTRIKEcrowdstrike.comVisit source
- Reference 9BARRACUDAbarracuda.comVisit source
- Reference 10ABAaba.comVisit source
- Reference 11MICROSOFTmicrosoft.comVisit source
- Reference 12IBMibm.comVisit source