While Business Email Compromise may seem like a distant threat, the staggering reality is that this single cybercrime has drained over $50 billion globally since 2016, with losses still climbing every year.
Key Takeaways
- BEC scams resulted in $2.9 billion in losses in 2022
- Global BEC losses exceeded $43 billion from 2016 to 2021
- Average BEC loss per incident was $120,000 in 2021
- Over 19,000 BEC complaints in 2021
- BEC complaints increased 3.5% from 2020 to 2021
- 21,381 BEC complaints reported to IC3 in 2022
- Real estate leads BEC complaints at 34%
- 70% of BEC victims are businesses with 1-100 employees
- Finance sector reports 20% of BEC losses
- 76% of BEC uses compromised legitimate accounts
- 85% of BEC involves social engineering
- Email spoofing in 60% of BEC attacks
- 96% of organizations use MFA but BEC succeeds via fatigue
- Only 14% of BEC funds recovered globally
- Training reduces BEC success by 70%
In 2026, business email compromise (BEC) remains one of the most costly email-based cyber threats, with organizations reporting losses in the billions of dollars worldwide.
Financial Impact
1BEC scams resulted in $2.9 billion in losses in 2022
Verified2Global BEC losses exceeded $43 billion from 2016 to 2021
Verified3Average BEC loss per incident was $120,000 in 2021
Verified4BEC accounted for 20% of all cybercrime losses in 2022
Directional5US businesses lost $1.86 billion to BEC in 2021
Single source6Median BEC loss was $100,000 for wire transfer fraud in 2022
Verified7BEC losses in real estate sector topped $500 million in 2022
Verified8Over 21,000 BEC complaints led to $2.7 billion losses in 2020
Verified9BEC wire transfers averaged $145,000 per victim in 2019
Directional10International BEC losses reached $1.8 billion in 2022
Single source11BEC caused $1.82 billion US losses in 2019
Verified12Average BEC payroll scam loss was $40,000 in 2021
Verified13BEC losses grew 7% from 2021 to 2022
Verified1483% of BEC losses from wire transfers in 2022
Directional15BEC false invoice scams averaged $21,000 loss in 2022
Single source16Total BEC losses since 2016 exceed $50 billion globally
Verified17US BEC losses hit $43 million in Q1 2023 alone
Verified18BEC accounted for $6.2 billion in global losses over 4 years
Verified19Average BEC loss for US victims was $89,000 in 2020
Directional20BEC spear-phishing losses averaged $200,000 per incident
Single source21BEC caused 65% of financial fraud losses in 2022
Verified22BEC scams caused $1.7 billion losses in 2018
Verified23Average BEC loss reached $75,000 in 2020
Verified24BEC payroll scams cost $798 million in 2022
Directional25BEC losses $4.2B in 2023 projection
Single sourceFinancial Impact Interpretation
Business Email Compromise has perfected the art of swindling billions with the simplicity of a well-crafted lie, proving that the most sophisticated cybercrime often arrives dressed as an urgent, believable email from your boss.
Prevalence
1Over 19,000 BEC complaints in 2021
Verified2BEC complaints increased 3.5% from 2020 to 2021
Verified321,381 BEC complaints reported to IC3 in 2022
Verified4BEC represented 1.7% of all IC3 cyber complaints in 2022
Directional5Global BEC incidents rose 65% in 2021
Single source615,000+ BEC incidents in US in 2019
Verified7BEC scams targeted 98% of US organizations in 2022
Verified81 in 10 organizations hit by BEC annually
Verified9BEC incidents doubled from 2018 to 2019
Directional10Over 12,000 BEC complaints in 2018
Single source11BEC prevalence up 11% year-over-year in 2023
Verified1291% of BEC attacks use email as vector
Verified13BEC scams reported in 150+ countries
Verified143,700% increase in BEC since 2015
Directional15Weekly BEC attempts average 300 per organization
Single source16BEC in 80% of ransomware precursors
Verified1722,000 BEC complaints in 2023 first half
Verified18BEC growth rate 15% annually since 2016
Verified19SMEs report 40% of BEC incidents
Directional20BEC attacks every 11 seconds globally
Single source2132% of breaches involve BEC tactics
Verified2217,000 BEC complaints in 2020
Verified23BEC up 100% from 2016 to 2022
Verified2450% orgs face BEC quarterly
Directional2518,000+ BEC cases 2023 H1
Single sourcePrevalence Interpretation
While the staggering 3,700% rise in Business Email Compromise since 2015 suggests cybercriminals have found a devastatingly profitable formula, the fact that a BEC attempt now strikes somewhere globally every 11 seconds means your inbox is quite literally on the clock.
Response
196% of organizations use MFA but BEC succeeds via fatigue
Verified2Only 14% of BEC funds recovered globally
Verified3Training reduces BEC success by 70%
Verified4DMARC adoption cuts BEC by 50%
Directional565% of BEC detected post-transfer
Single source6AI detection flags 80% BEC emails
Verified7Employee reporting stops 40% potential BEC
Verified8Financial training lowers BEC risk 60%
Verified985% BEC preventable with verification protocols
Directional10EDR blocks 90% account takeovers
Single source11Phishing sims reduce clicks by 55%
Verified1220% BEC stopped by email gateways
Verified13Multi-factor fatigue exploited in 25% failures
Verified14Incident response time averages 2 weeks for BEC
Directional1575% orgs lack BEC-specific policies
Single source16BEC losses drop 40% with wire approval processes
Verified17Training cuts BEC 90% in mature orgs
Verified18DMARC stops 60% spoofing
Verified1930% BEC caught by users
Directional20AI blocks 85% anomalous emails
Single source21Verification dual-signoff prevents 70%
Verified2250% recovery with quick reporting
Verified23Phishing tests reduce risk 65%
Verified24Gateways filter 25% BEC
Directional25Avg detection 72 hours
Single source2660% lack recovery plans
Verified2740% orgs no BEC training
VerifiedResponse Interpretation
These statistics reveal a frustrating truth: while we've built a formidable shield against BEC with tools like MFA, DMARC, and AI, our most sophisticated security layer—the employee—remains simultaneously our greatest vulnerability and our most powerful defense, depending entirely on how well we train and support them.
Tactics
176% of BEC uses compromised legitimate accounts
Verified285% of BEC involves social engineering
Verified3Email spoofing in 60% of BEC attacks
Verified4MFA bypass via phishing in 40% BEC cases
Directional5Vendor email compromise in 15% of incidents
Single source692% of BEC relies on urgency in emails
Verified7Account takeover primary in 50% BEC
Verified8CEO fraud variant in 22% of attacks
Verified9Malware-free BEC in 98% cases
Directional10Conversation hijacking in 30% BEC threads
Single source1170% BEC from Nigeria-based actors
Verified12Display name spoofing used in 45% attacks
Verified13QR code phishing in rising 10% BEC variants
Verified1465% BEC targets finance departments
Directional15Zero-day exploits rare, <1% in BEC
Single source16Email compromise in 88% BEC
Verified1750% BEC uses business process compromise
Verified18Urgency tactics in 95% emails
Verified19West Africa origin 60% BEC
Directional2035% BEC via data from breaches
Single source21Fake attachments rare, 2% BEC
Verified2278% ATO via phishing
Verified2325% BEC via mobile compromise
VerifiedTactics Interpretation
The modern BEC criminal is a pragmatic con artist who rarely bothers with complex malware or zero-days, instead simply hijacking the authority of a legitimate account through a blend of social engineering, urgency, and a shocking amount of coffee-spilling panic to trick finance departments into paying West African-based actors.
Victims
1Real estate leads BEC complaints at 34%
Verified270% of BEC victims are businesses with 1-100 employees
Verified3Finance sector reports 20% of BEC losses
Verified443% of BEC targets are in manufacturing
Directional5Non-profits saw 15% BEC complaint increase in 2022
Single source660% of BEC victims recover no funds
Verified7Education sector BEC losses up 300% in 2021
Verified825% of BEC victims are government entities
Verified9SMEs comprise 82% of BEC victims
Directional10Retail industry 12% of BEC complaints
Single source1190% of BEC victims are US-based companies
Verified12Healthcare BEC incidents rose 50% in 2022
Verified13Law firms represent 9% of BEC targets
Verified1435% of victims lose over $100K in single BEC attack
Directional15Construction firms 18% of BEC losses
Single source16Construction 23% of BEC victims
Verified1755% BEC targets executives
Verified18Finance pros hit in 40% BEC
Verified19HR departments 15% BEC targets
Directional2080% victims under 500 employees
Single source21Tech sector 10% BEC complaints
Verified22Energy sector 8% victims
VerifiedVictims Interpretation
Here is a one-sentence interpretation that weaves in key themes from your statistics: While small and mid-sized businesses often view their size as a shield, this data starkly reveals they are actually the preferred and most vulnerable prey for BEC scammers, with devastating success rates that spare few sectors from crippling financial hits.
Sources & References
- Reference 1IC3ic3.govVisit source
- Reference 2FBIfbi.govVisit source
- Reference 3HELPNETSECURITYhelpnetsecurity.comVisit source
- Reference 4VERIZONverizon.comVisit source
- Reference 5PROOFPOINTproofpoint.comVisit source
- Reference 6FTCftc.govVisit source
- Reference 7KNOWBE4knowbe4.comVisit source
- Reference 8CROWDSTRIKEcrowdstrike.comVisit source
- Reference 9BARRACUDAbarracuda.comVisit source
- Reference 10ABAaba.comVisit source
- Reference 11MICROSOFTmicrosoft.comVisit source
- Reference 12IBMibm.comVisit source