Billions of dollars keep getting drained through business email compromises, and the 2023 BEC losses reported by the FBI IC3 still land among the most costly cybercrime categories. At the same time, the defenses are tightening, with email security and identity controls now a top priority for most organizations. This mix of high-impact damage and uneven protections is exactly where the real business risk lives.
Key Takeaways
- FBI IC3 reported that 2023 BEC losses remain among the most costly cybercrime categories, with billions adjusted across the year
- The number of reported ransomware incidents in 2023 increased compared to 2022; email is a primary initial access vector in these campaigns per Verizon DBIR
- DMARC reporting and enforcement adoption continues to expand; industry analysis by Valimail shows progressive enforcement adoption year over year (reported in Valimail adoption posts)
- US SEC registrants must retain electronic records, including email communications, for specified periods under SEC Rule 17a-4, which requires retention for at least 3 to 6 years depending on record type
- HIPAA requires covered entities and business associates to retain required documentation for 6 years from its creation or last effective date, which commonly includes certain email-based documentation
- GDPR establishes a 72-hour notification timeline for certain personal data breaches after becoming aware, relevant to breach notification triggered by compromised email accounts
- The global email security market is forecast to reach $10.2 billion by 2030, per MarketsandMarkets (with CAGR around 10%+)
- Worldwide IT spending is forecast to reach $5.1 trillion in 2024, underpinning continued investment in email security and governance
- Worldwide public cloud end-user spending is forecast to reach $679.0 billion in 2024, supporting cloud email adoption and related security controls
- 86% of organizations use Office 365/Exchange or similar cloud email services, per a 2024 survey by Spiceworks (enterprise IT communications infrastructure)
- 63% of organizations reported adopting Microsoft 365 for email and collaboration in 2024 survey data compiled by Gartner Peer Insights (communications workflows)
- 38% of organizations do not have a formal process for securing shadow IT email accounts, per Microsoft security survey on identity and access (2023/2024 publication)
- 22% of organizations allow spoofing of their domains via misaligned DKIM signatures, per Agari’s DMARC Spotlight analysis (2023).
- IBM’s 2024 Cost of a Data Breach report estimated the global average total cost of a data breach at $4.88 million (data breaches often begin with email-borne attacks).
- Mandiant’s 2024 M-Trends report states that the median time to detect and respond for intrusions involving email-delivered initial access can exceed several days, with detection delays being a primary cost driver (median dwell times reported in the report).
Email security and identity controls remain critical, as phishing and BEC losses drive major breach costs globally.
Related reading
01 · Category
Industry Trends7 stats
01
FBI IC3 reported that 2023 BEC losses remain among the most costly cybercrime categories, with billions adjusted across the year
02
The number of reported ransomware incidents in 2023 increased compared to 2022; email is a primary initial access vector in these campaigns per Verizon DBIR
03
DMARC reporting and enforcement adoption continues to expand; industry analysis by Valimail shows progressive enforcement adoption year over year (reported in Valimail adoption posts)
04
2024 trend: 60% of organizations are prioritizing email security and identity controls due to phishing and account takeover prevalence (Gartner/industry surveys compiled in market research summaries)
05
Email remains the most common initial access vector in the majority of attack narratives analyzed by the MITRE ATT&CK dataset for Enterprise intrusion sets, where phishing via email is repeatedly listed as a primary pathway.
06
In the 2024 ENISA Threat Landscape, social engineering (including phishing delivered via email) is identified as a leading cause of successful compromise for organizations in the EU threat observations.
07
The EU Agency for Cybersecurity (ENISA) reported that phishing is among the most frequently observed cyber threats across Europe in its threat landscape summaries, with email delivery as a primary mechanism in most cases.
Interpretation
Industry Trends Interpretation
Across industry trends, email security is moving to the top of the agenda as phishing and account takeovers keep driving major financial losses like BEC, with 60% of organizations prioritizing email security and identity controls in 2024 while ransomware continues to rise and email remains a leading initial access vector.
02 · Category
Authentication & Compliance6 stats
01
US SEC registrants must retain electronic records, including email communications, for specified periods under SEC Rule 17a-4, which requires retention for at least 3 to 6 years depending on record type
02
HIPAA requires covered entities and business associates to retain required documentation for 6 years from its creation or last effective date, which commonly includes certain email-based documentation
03
GDPR establishes a 72-hour notification timeline for certain personal data breaches after becoming aware, relevant to breach notification triggered by compromised email accounts
04
PCI DSS requires organizations to protect cardholder data and associated systems, including transmission controls that affect email-based workflows; certain requirements apply per the 12-month compliance cycle
05
NIST SP 800-53 Revision 5 provides controls for email and identity protections as part of access control and audit requirements, including AC and AU families
06
ISO 27001 requires implementing controls for information security including access management and logging that cover email systems; the standard is updated to 2022 and remains current
Interpretation
Authentication & Compliance Interpretation
For Authentication & Compliance, the key trend is that major regulatory and security frameworks drive retention and accountability for email at multi year and short time scales, from SEC Rule 17a-4’s 3 to 6 year recordkeeping and HIPAA’s 6 year documentation to GDPR’s 72 hour breach notification window.
03 · Category
Market Size5 stats
01
The global email security market is forecast to reach $10.2 billion by 2030, per MarketsandMarkets (with CAGR around 10%+)
02
Worldwide IT spending is forecast to reach $5.1 trillion in 2024, underpinning continued investment in email security and governance
03
Worldwide public cloud end-user spending is forecast to reach $679.0 billion in 2024, supporting cloud email adoption and related security controls
04
Digital commerce and productivity suites drive ongoing email usage, with Microsoft reporting that Microsoft 365 drives tens of billions in annual revenue within productivity segment (revenue disclosed in quarterly results)
05
Email API and messaging platform spend is incorporated within the broader unified communications and collaboration market; Gartner projects UC&C market revenue to exceed $500B by the early 2030s (spend category overlaps with managed email)
Interpretation
Market Size Interpretation
The market size signals strong momentum for business email security and governance, with the global email security market forecast to hit $10.2 billion by 2030 at 10%+ CAGR, supported by $5.1 trillion in worldwide IT spending in 2024 and $679.0 billion in public cloud spending that accelerates secure cloud email adoption.
More related reading
04 · Category
User Adoption8 stats
01
86% of organizations use Office 365/Exchange or similar cloud email services, per a 2024 survey by Spiceworks (enterprise IT communications infrastructure)
02
63% of organizations reported adopting Microsoft 365 for email and collaboration in 2024 survey data compiled by Gartner Peer Insights (communications workflows)
03
38% of organizations do not have a formal process for securing shadow IT email accounts, per Microsoft security survey on identity and access (2023/2024 publication)
04
61% of organizations report they used DMARC for more than one year by 2023, per Wombat Security’s 2023 Email Security & DMARC survey.
05
55% of surveyed organizations enable security awareness training specifically addressing phishing and social engineering at least quarterly, per Wombat Security’s 2023/2024 phishing training survey results.
06
38% of organizations use some form of email sandboxing to detect malicious attachments or links, per the 2024 Cybersecurity Spending & Trends report by the Enterprise Strategy Group (ESG) (S&P Global Market Intelligence).
07
29% of organizations had deployed a dedicated email security platform by 2023, according to the 2024 Email Security Trends survey results published by Help Net Security (based on independent survey data).
08
76% of organizations reported using threat intelligence feeds for email-related threats (phishing, malware, or URL blocking), per the 2024 Email Security Trends report by Tessian (security email monitoring vendor survey findings).
Interpretation
User Adoption Interpretation
For User Adoption, the strongest signal is that mainstream email platforms are now widely entrenched, with 86% of organizations using Office 365/Exchange or similar cloud services, while only 29% have moved to dedicated email security platforms.
05 · Category
Threat Landscape1 stats
01
22% of organizations allow spoofing of their domains via misaligned DKIM signatures, per Agari’s DMARC Spotlight analysis (2023).
Interpretation
Threat Landscape Interpretation
Within the Threat Landscape, 22% of organizations are vulnerable to domain spoofing through misaligned DKIM signatures, showing how common this authentication weakness is in enabling email impersonation.
06 · Category
Cost Analysis2 stats
01
IBM’s 2024 Cost of a Data Breach report estimated the global average total cost of a data breach at $4.88 million (data breaches often begin with email-borne attacks).
02
Mandiant’s 2024 M-Trends report states that the median time to detect and respond for intrusions involving email-delivered initial access can exceed several days, with detection delays being a primary cost driver (median dwell times reported in the report).
Interpretation
Cost Analysis Interpretation
Cost analysis shows that the average data breach cost is $4.88 million globally and that email-delivered initial access can take several days longer to detect and respond, making detection delays a key cost driver.
Reference
Cite This Report
This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.
APA
Timothy Grant. (2026, February 13). Business Email Statistics. Gitnux. https://gitnux.org/business-email-statistics
MLA
Timothy Grant. "Business Email Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/business-email-statistics.
Chicago
Timothy Grant. 2026. "Business Email Statistics." Gitnux. https://gitnux.org/business-email-statistics.
Sources & references
29 datasets cited across this report · attribution is report-level
+7 additional datasets cited (not shown individually)