Business Email Compromise Statistics 2026: BEC Fraud

Business email compromise statistics for 2026 point to a clear conclusion: BEC remains one of the most financially damaging cyber-enabled fraud categories because it attacks business trust, executive authority, vendor relationships, mailbox access, and payment workflows instead of relying only on malware or commodity phishing. The FBI’s 2025 IC3 report logged 24,768 BEC complaints and $3.05 billion in reported losses, up from 21,442 complaints and $2.77 billion in 2024. Based on those official totals, reported BEC complaints rose by roughly 16% year over year, while reported losses rose by about 10%. Finance-sector survey data tells a similar story: AFP said 76% of U.S. organizations experienced attempted or actual payments fraud in 2025, and about 74% were affected by BEC. Microsoft’s 2025 Digital Defense Report adds an important nuance: BEC represented only 2% of observed threats but 21% of attack outcomes, which means low-volume attacks can still create outsized business impact.

That is why business email compromise in 2026 should not be treated as a generic phishing problem. It includes email account compromise, executive impersonation, vendor impersonation, supplier invoice fraud, payroll diversion, payment diversion, real-estate wire fraud, mailbox rule abuse, delegated access abuse, OAuth abuse, and weak approval workflows that let urgent payment requests bypass verification. This article uses publicly available 2024–2026 sources and labels each statistic by data type so BEC-specific evidence is not mixed carelessly with broader phishing, email fraud, identity, or breach benchmarks.

This 2026 guide combines business-email-compromise-specific fraud data, government fraud reports, email security research, identity security research, phishing benchmarks, breach benchmarks, payment fraud guidance, and public cybersecurity frameworks. Each statistic is labeled by data type so general phishing, email fraud, identity, or breach benchmarks are not treated as BEC-only evidence. Where a statistic is not BEC-specific, it is used only as context for BEC risk. Source links should point to official report pages or source hubs where available.

Top Business Email Compromise Statistics for 2026

Statistic	Data type	What it shows	BEC implication	Source
24,768 BEC complaints and $3.0466 billion in reported losses in 2025	BEC-specific benchmark	The latest full-year FBI/IC3 data still places BEC among the highest-loss cyber-enabled fraud categories	BEC remains a board-level cash-loss issue, not a low-severity email nuisance	FBI IC3 2025 Annual Report
21,442 BEC complaints and $2.7719 billion in reported losses in 2024	BEC-specific benchmark	The prior year was already extremely costly, creating a high baseline entering 2026	BEC is persistent, not a one-year spike	FBI IC3 2024 Annual Report
305,033 domestic and international BEC incidents and $55.5 billion in exposed losses from October 2013 through December 2023	BEC-specific historical benchmark	Long-run BEC exposure is enormous even before adding 2024–2025 totals	BEC should be treated as a durable fraud program risk	FBI IC3 PSA, September 2024
3,900 Financial Fraud Kill Chain incidents in 2025 involved $1.164 billion in attempted theft, $679.0 million frozen, and a 58% success rate	Recovery and payment fraud benchmark	Recovery is possible, but only when notification and bank coordination happen fast	Response speed materially affects loss outcome after a fraudulent transfer	FBI IC3 2025 Annual Report
3,020 Financial Fraud Kill Chain complaints in 2024 involved $848.4 million in attempted theft, with $561.6 million frozen and a 66% success rate	Recovery and payment fraud benchmark	Fraud recovery rates can be meaningful, but they are far from guaranteed	Wire-transfer verification and immediate escalation matter as much as prevention	FBI IC3 2024 Annual Report
76% of U.S. organizations experienced attempted or actual payments fraud in 2025, and about 74% were affected by BEC	Survey benchmark	BEC stayed deeply embedded in real finance operations, not just security telemetry	Treasury, AP, and CFO functions remain core BEC targets	AFP 2026 Payments Fraud and Control Survey press release
79% of organizations experienced attempted or actual payments fraud in 2024, and 63% said BEC was the number one avenue for attempted and actual payments fraud	Survey benchmark	BEC was the leading payment-fraud entry path in AFP’s 2024 findings	Email-driven fraud is still the primary business-payment threat in many organizations	AFP 2025 Payments Fraud and Control Survey
In AFP’s 2024 survey, wire transfers were the payment method most frequently targeted by BEC scammers at 63%; vendor imposter fraud reached 45%; invoice fraud reached 24%; classic executive-impersonation BEC fell to 49%; only 22% recovered 75% or more of lost funds	Survey benchmark	Wire fraud, vendor fraud, and invoice fraud carry direct cash consequences, and recovery is uneven	Payment-verification controls are decisive once an email reaches finance	AFP 2025 Payments Fraud and Control Survey
Microsoft said BEC represented just 2% of total threats observed over the past year, but 21% of attack outcomes, compared with 16% for ransomware	Identity and BEC outcome benchmark	BEC is relatively low-volume but disproportionately high-impact	Counting suspicious emails alone misses the risk concentration around finance and identity	Microsoft Digital Defense Report 2025
In one financially driven Microsoft campaign, threat actors created around 17,000 multitenant OAuth applications and used them to send more than 927,000 phishing emails while also creating inbox rules to hide activity	OAuth and mailbox abuse benchmark	BEC persistence can involve OAuth abuse, mailbox rules, and long-lived access, not just spoofed messages	MFA alone is not enough if app consent, token persistence, and mailbox changes are not reviewed	Microsoft Security Blog, December 2023
APWG observed 1,003,924 phishing attacks in Q1 2025; its contributors also reported wire-transfer BEC attacks rising 33% quarter over quarter, with an average requested amount of $42,236	Phishing and BEC context benchmark	General phishing volume remains high while BEC wire requests continue to evolve	Broad phishing telemetry is useful context, but BEC-specific wire activity remains operationally relevant	APWG Phishing Activity Trends Report Q1 2025
Proofpoint says it detected and stopped more than 66 million targeted BEC attacks per month on average	Vendor BEC benchmark	The BEC attempt volume seen by large email-security vendors remains massive	Organizations should assume persistent impersonation pressure even if only a small fraction reaches users	Proofpoint threat reference on BEC
FTC data show 845,806 imposter-scam reports in 2024, with 22% reporting a dollar loss totaling $2.95 billion; FTC also said 2023 included more than 330,000 business-impersonation reports	Impersonation fraud benchmark	Trust-based impersonation remains a major fraud engine far beyond purely technical phishing metrics	Executive impersonation and business impersonation should be treated as fraud operations risk, not only email abuse	FTC Consumer Sentinel and FTC Data Spotlight/press releases
At the start of 2025, Valimail said more than 7.2 million tracked domains had published a DMARC record, but its 2026 report also says most domains with DMARC were not fully protected	Email authentication benchmark	DMARC adoption is growing, but publication is not the same as effective enforcement	DMARC helps reduce spoofing exposure, but it does not solve mailbox compromise or approval-workflow abuse	Valimail DMARC resources

The most important interpretation is that BEC risk is not measured only by message volume. It is measured by who can approve payments, who can change vendor banking details, which mailboxes and shared finance inboxes hold trust, how quickly fraud is recognized, and whether finance teams can verify requests outside the attacker-controlled channel. That is why a category that can look “small” in raw threat telemetry can still dominate real cash outcomes.

It is also why broad phishing or email fraud statistics need to be handled carefully. APWG’s quarterly phishing totals and FTC impersonation data are useful context, but they are not the same thing as BEC-specific loss data. The best BEC benchmarks are the ones that tie directly to payment diversion, mailbox compromise, vendor trust abuse, and recovery difficulty.

Finally, the most actionable BEC statistics map directly to fixable control gaps: MFA coverage for executives and finance teams, phishing-resistant authentication, mailbox-rule and forwarding monitoring, OAuth app governance, DMARC/SPF/DKIM alignment, vendor-change verification, dual approval for high-risk payments, and retesting after remediation. Those are the controls that change exposure, not just awareness scores.

Business Email Compromise in 2026

Business email compromise is a cyber-enabled fraud scheme in which attackers use compromised, spoofed, or impersonated business identities to trick organizations into sending money, changing payment details, disclosing sensitive data, or carrying out unauthorized business actions. The FBI and IC3 both describe BEC as a sophisticated scam tied to legitimate transfer-of-funds activity, often involving compromised business email accounts, spoofed addresses, or requests that appear to come from known senders.

In practice, that means BEC includes executive impersonation, CEO fraud, CFO impersonation, vendor email compromise, supplier invoice fraud, payment diversion, payroll diversion, real-estate wire fraud, accounts-payable fraud, gift-card fraud, and compromised-mailbox schemes where the attacker uses the victim’s actual account. It can also include display-name spoofing, lookalike domains, domain spoofing, malicious inbox rules, forwarding rules, delegated access abuse, or OAuth-based persistence after the initial mailbox compromise. Microsoft explicitly warns that malicious inbox rules are common in BEC and phishing campaigns, and its 2025 threat reporting ties BEC to inbox-rule manipulation, thread hijacking, unauthorized SharePoint access, and MFA tampering.

That is why BEC should be separated from adjacent terms. Phishing is the broad category. Spear phishing is targeted phishing. Whaling is spear phishing aimed at senior leaders. Email account compromise means the attacker is operating from a real mailbox, not just faking the sender. Vendor email compromise is BEC focused on supplier or partner trust. Invoice fraud and payment diversion are the financial outcomes. Wire transfer scams are the payment-execution stage. Ransomware is usually about extortion and operational disruption, while BEC is more often about fraud, impersonation, and fund redirection. Insider fraud is different again because the deceptive actor is inside the organization by role, not merely by compromise.

The 2026 reality is that BEC is fraud, not only email security. Attackers exploit authority, urgency, confidentiality, and normal business process. Finance, procurement, HR, legal, real-estate, and executive support teams are attractive because they can authorize change: new bank details, payroll updates, invoice approvals, escrow wires, or confidential document release. As the FBI, AFP, and Microsoft data all suggest, BEC can succeed with a fully spoofed display name, a lookalike domain, a compromised executive mailbox, or a vendor account that already sits inside a routine payment thread.

BEC path	How it works	Business impact	Validation method
Executive impersonation	Attacker impersonates CEO or CFO to request an urgent confidential payment	Wire loss and approval-control failure	Payment workflow test
Vendor email compromise	Real vendor mailbox or lookalike supplier domain requests a bank-change update	Payment diversion and supplier dispute	Vendor-change control review
Invoice fraud	Fake or altered invoice is submitted into a normal AP process	Financial loss and recovery burden	AP workflow validation
Payroll diversion	Employee payroll details are changed after account or workflow compromise	Wage theft and HR disruption	Payroll change control review
Email account compromise	A real mailbox is used to send or continue fraud requests	High trust, delayed detection, wider blast radius	Mailbox and identity review
Gift card fraud	Employee is pressured by an “executive” to buy and share gift cards	Direct loss and escalation gap	Authorized social engineering simulation
Real-estate wire fraud	Closing or escrow instructions are altered or impersonated	High-value wire loss	Out-of-band verification review

This matrix matters because every row points to a different failure mode. A display-name spoof might be stopped by impersonation controls and training. A compromised finance mailbox needs stronger identity controls, token revocation, mailbox-rule investigation, and session review. A vendor bank-change scam may bypass both if AP does not require an authenticated callback to a verified number. BEC defense only becomes credible when the organization validates each path separately.

Wire Transfer Scams and Payment Diversion

Wire transfer scams are the part of BEC where deception becomes an actual financial transaction. The attacker does not need to “hack the bank” if they can convince finance, AP, treasury, or escrow to move money to the wrong account. That can happen through executive urgent-wire requests, vendor bank-detail changes, altered invoices, title-company impersonation in real-estate closings, or payroll-account changes that reroute wages or reimbursements. The FBI’s public BEC examples include vendor invoices with updated payment details, fake CEO requests, and altered home-closing wire instructions.

The recovery problem is what makes BEC especially expensive. IC3’s Financial Fraud Kill Chain data show that some fraudulent transfers can still be frozen, but only when banks, victims, and law enforcement act quickly. In 2025, the FBI reported 3,900 FFKC incidents involving $1.164 billion in attempted theft and a 58% success rate for funds frozen; in 2024, the comparable success rate was 66%. Those numbers are useful because they show both sides of the equation: recovery is possible, but it is time-sensitive, partial, and never guaranteed.

Public case evidence keeps reinforcing the same lesson. HHS OIG said bad actors fraudulently diverted $7.8 million in grant funds from HHS’s Program Support Center by masquerading as grant recipients and requesting banking-information changes. In May 2025, DOJ filed a forfeiture action to recover $6.7 million after the City of Portland was targeted by a business impersonation scheme that changed a contractor’s bank-account details. DOJ also pursued recovery of more than $5.3 million tied to a BEC scheme that targeted a Massachusetts workers union. These are process-failure cases as much as email cases.

Wire/payment scam type	Attack pattern	Business risk	Control to validate
Vendor bank change	Payment account details are changed after a spoofed or compromised request	Payment diversion	Vendor callback verification
Executive urgent wire	CEO or CFO asks for a confidential immediate payment	Large wire loss	Dual approval and out-of-band check
Invoice alteration	Legitimate invoice is modified or replaced	Wrong account is paid	Invoice verification workflow
Real-estate wire fraud	Closing instructions are changed late in the process	High-value wire loss	Trusted-channel verification
Payroll diversion	Employee direct-deposit details are changed	Wage theft and employee trust harm	Payroll change review
M&A or legal payment	Sensitive transaction request is spoofed under confidentiality pressure	High-value fraud and disclosure risk	Legal-finance escalation control

The most useful takeaway for CFOs and CISOs is that finance-process controls matter at least as much as email controls. AFP’s data show that BEC remains tightly coupled to payment fraud, including wire-transfer targeting, vendor imposter fraud, invoice fraud, and uneven fund recovery. A secure email gateway can help reduce exposure, but it cannot validate whether a banking change request was independently confirmed or whether a high-value payment had true dual authorization.

Executive Impersonation and CEO Fraud

Executive impersonation is the classic BEC storyline because it compresses trust, urgency, and authority into a single fraudulent request. CEO fraud, CFO impersonation, and board- or legal-themed lures work because employees are often conditioned to respond quickly when the request appears to come from senior leadership. AFP’s 2025 findings show that “classic” executive-impersonation BEC was still reported by 49% of surveyed organizations in 2024, even as vendor and third-party imposters became more common.

The technical path behind executive impersonation varies. Sometimes it is a lookalike domain or display-name spoof. Sometimes it is a real executive mailbox compromised through phishing, password spraying, or session-token theft. Microsoft’s 2025 Digital Defense Report specifically describes BEC as a high-impact threat driven by identity compromise, including inbox-rule manipulation, thread hijacking, new MFA-method registration, and MFA tampering. In other words, “CEO fraud” can be either pure impersonation or a true executive mailbox takeover.

Deepfake voice or video adds pressure, but it does not eliminate the need for a process failure. AFP’s 2026 survey added AI-enabled fraud and deepfake technologies as a distinct area of concern, and Microsoft’s 2025 report warns that deepfake impersonation can contribute to BEC and account-reset fraud. Still, in most business cases the decisive failure is not the deepfake itself. It is the lack of a mandatory out-of-band verification step before the payment, bank-change, or sensitive data action is approved.

Impersonation type	How it works	Why it succeeds	Validation method
CEO fraud	Fake executive requests a payment or sensitive action	Authority pressure and urgency	Finance workflow test
CFO impersonation	Payment or vendor-change request appears to come from finance leadership	Existing finance trust path	Dual-approval review
Executive mailbox compromise	Real executive account sends the request	High sender trust and real conversation context	Identity and mailbox review
Lookalike domain	Similar domain imitates the executive or company	Visual trust and rushed review	Domain monitoring and DMARC review
Display-name spoofing	The name looks right while the address is wrong	Mobile and preview-pane interfaces hide details	Email security review
Deepfake-assisted request	Voice or video reinforces the fraudulent email	Heightened confidence in apparent identity	Out-of-band verification process

Executive impersonation is therefore a process failure as much as an email failure. If a finance team can approve an urgent request from a mobile phone without seeing the full sender address, without a known-good callback, without a second approver, and without a documented escalation path, then even a strong email stack may not be enough. The control objective is not merely “block spoofing.” It is “make high-risk requests unapprovable without independent validation.”

Vendor Email Compromise, Email Account Compromise, and Business Impact

Vendor email compromise is one of the most dangerous BEC forms because the context already looks legitimate. The sender may be a real supplier mailbox, or a near-match domain, or an attacker who has inserted themselves into an existing billing thread. AFP’s 2025 survey found vendor imposter fraud at 45% and invoice fraud at 24% in 2024, while Abnormal reported that employees engaged with 44% of read vendor email compromise attacks and that attackers attempted to steal more than $300 million through VEC in the observed period. Abnormal also found VEC driving some of the highest reply and forward rates among advanced email attacks.

That pattern matches why vendor fraud is hard to detect. Procurement and AP are supposed to deal with invoices, payment-status questions, and bank-detail updates. Attackers thrive in those normal workflows. Abnormal’s 2026 federal workflow analysis says vendor email compromise accounted for roughly 61% of all BEC in its dataset and points out that higher-friction procurement environments often push attackers toward compromising a real vendor account rather than using a low-effort spoof. That is exactly why vendor-change controls need to validate the business process, not only the message.

Vendor fraud path	How it works	Business impact	Validation method
Vendor mailbox takeover	Real vendor sends fraudulent payment-change request	High-trust payment diversion	Vendor-change control testing
Lookalike supplier domain	Fake domain imitates a supplier	Invoice payment fraud	Domain and email review
Altered invoice	Real invoice is modified or replaced	Funds sent to attacker	AP workflow validation
Fake supplier onboarding	Fraudulent vendor is added to the system	Long-term payment risk	Vendor onboarding review
Procurement spoofing	Purchase order or quote is manipulated	Supply-chain and payment loss	Procurement workflow review

Email account compromise changes the defender’s job because the attacker is no longer pretending to be the sender; the attacker is the sender from the recipient’s perspective. Microsoft says attackers often use compromised mailboxes to send internally and externally, create forwarding rules, hide alerts, and maintain persistence. Its investigation and response guidance flags suspicious forwarding rules, deleted or missing mail, external forwarding, suspicious signatures, and repeated lockouts as indicators of mailbox compromise. Microsoft’s 2026 and 2025 incident writeups also show attackers using inbox rules to delete payroll or warning messages, register new MFA methods, and persist after password theft or AiTM phishing.

OAuth abuse makes this harder because it can preserve access even if the password changes. Microsoft documented financially motivated attacks in which compromised accounts were used to create or modify OAuth applications with high privileges, maintain persistence, and automate phishing or BEC-related operations. In one observed case, the actor created around 17,000 multitenant OAuth applications and sent more than 927,000 phishing emails, while using inbox rules to reduce the chance of user detection. That is why a BEC review needs to include app-consent governance, delegated access review, token and session review, and mailbox-rule monitoring.

Mailbox compromise path	Defensive concern	Common gap	Validation method
Malicious forwarding rule	Sensitive mail is copied outside the organization	No rule monitoring	Mailbox rule review
Hidden delete rule	Alerts or vendor replies are removed	Weak mailbox visibility	Mailbox investigation review
OAuth app grant	Third-party app keeps mailbox or Graph access	Weak consent governance	OAuth app review
Legacy protocol access	Older auth paths weaken protection	Legacy access still enabled	Identity configuration review
Session persistence	Attacker stays active after initial compromise	Weak token and session revocation	Session review
Shared mailbox misuse	Finance mailbox has weak ownership and oversight	Weak accountability	Mailbox access review

The business impact side of BEC is broader than the transfer itself. There is the direct cash loss, but also recall effort, supplier disputes, executive trust damage, HR burden, audit scrutiny, and pressure to explain why a “legitimate” payment reached the wrong destination. Microsoft’s payroll-diversion case shows how mailbox compromise can cross into HR systems and cause wage theft. AFP’s recovery data show that full loss recovery is uncommon. HHS OIG and DOJ recovery cases show how hard and operationally expensive the aftermath can become even when funds are partially recovered.

Business impact	Example	Why it matters
Direct financial loss	Wire sent to attacker-controlled account	Immediate cash loss
Recovery burden	Bank recall, FBI reporting, law-enforcement coordination	Time-sensitive and uncertain outcome
Supplier dispute	Vendor insists invoice remains unpaid	Relationship and legal risk
Payroll harm	Employee wages are redirected	HR disruption and employee trust damage
Finance disruption	AP or treasury freezes payment activity during investigation	Operational delay and backlog
Legal and audit cost	Incident investigation and control review become necessary	Governance pressure
Insurance pressure	Claim review and underwriting scrutiny follow the incident	Future premium or coverage impact
Board concern	Executive impersonation or vendor fraud reaches material loss	Control accountability and disclosure pressure

BEC Prevention, Validation, and Executive Metrics

BEC prevention works best when the organization treats it as an identity, mailbox, and payments problem at the same time. FBI and IC3 guidance emphasize secondary-channel verification for account changes and payment requests. CISA guidance continues to push DMARC, SPF, and DKIM as core anti-spoofing controls, while NIST’s current digital-identity guidance says phishing resistance must be available at AAL2 and is required at AAL3. Microsoft’s incident guidance adds the operational controls BEC teams often miss: inbox-rule review, external forwarding review, OAuth governance, and session revocation after compromise.

First 30 days

Focus on fast reduction of obvious exposure. Inventory payment workflows, vendor-change workflows, payroll-change workflows, executive approval paths, shared finance inboxes, and the identities that administer them. Enforce MFA for executives, finance, procurement, HR, IT administrators, and mailbox administrators. Disable or restrict legacy email protocols where feasible. Review mailbox forwarding rules, suspicious inbox rules, OAuth app grants, delegated mailbox permissions, and DMARC/SPF/DKIM alignment. Require callbacks for vendor bank changes and dual approval for high-value wires.

First 90 days

Move from posture to validation. Test finance payment workflows using safe, authorized scenarios. Review impersonation detection in the mail stack. Run phishing or social-engineering simulation where authorized. Review mailbox-compromise response procedures, session-revocation steps, OAuth consent settings, and vendor-change and payroll-change processes. Review lookalike-domain exposure and retest the highest-risk fixes instead of assuming the problem is closed.

First 12 months

Build durable controls. Move high-risk teams toward phishing-resistant MFA. Run executive tabletop exercises or red-team style BEC simulations in mature environments. Review vendor master-file changes quarterly. Audit mailbox rules, forwarding settings, and OAuth grants quarterly. Test payment-workflow controls before ERP, payroll, AP, treasury, or SSO changes. Keep evidence for audit, insurance, board, and customer diligence.

Priority	Control	BEC risk reduced	Validation method
Critical	MFA for executives and finance	Mailbox takeover	Identity review
Critical	Vendor-change callback verification	Payment diversion	AP workflow test
Critical	Dual approval for high-value payments	Wire fraud	Finance process review
High	DMARC, SPF, and DKIM alignment	Domain spoofing	Email authentication review
High	Mailbox rule monitoring	Compromised inbox abuse	Mailbox rule review
High	OAuth app governance	Persistent mailbox access	OAuth review
High	Payroll change verification	Payroll diversion	HR workflow review
Medium	Authorized social-engineering simulation	Human and process weaknesses	Authorized simulation
Medium	Retesting	False closure after remediation	Verification retest

Secure email gateways, awareness training, and MFA all matter, but none of them is sufficient by itself. Microsoft’s threat intelligence shows BEC chaining from identity compromise into inbox rules, OAuth persistence, and internal phishing. AFP’s surveys show that real payment-loss exposure depends on what treasury, AP, and finance do when a request arrives. That is why organizations need technical validation and process validation together.

Testing type	Best for	What it validates
Email security review	Mail filtering and impersonation controls	Spoofing, lookalike-domain, and policy gaps
Identity review	Executives, finance, HR, and admins	MFA, legacy access, session, and recovery policies
Mailbox rule review	Compromised mailbox detection	Forwarding, deletion, and hidden-rule abuse
OAuth app review	Microsoft 365 and Google Workspace app access	Overbroad grants, consent risk, and persistence
Finance workflow test	Wires, invoices, vendor changes	Payment-verification strength
Authorized social-engineering simulation	Human and process resilience	Whether escalation paths work under pressure
Red team assessment	Mature organizations	Realistic chain across identity, email, and process
Retesting	Post-remediation assurance	Whether fixes actually reduced BEC risk

For executive reporting, the best BEC metrics are not vanity counts of blocked emails. They are metrics that tie technical posture to fraud exposure and operational resilience. That means measuring approved payments, verification coverage, MFA coverage for high-risk users, mailbox-rule findings, OAuth findings, simulation escalation rates, and retest pass rates.

Metric	What it measures	Why it matters
Confirmed BEC cases	Verified incidents	Measures fraud frequency
BEC loss amount	Direct wire or payment loss	Quantifies financial exposure
Recovery rate	Funds recovered after fraud	Measures response speed and banking coordination
Vendor-change verification coverage	Bank changes verified out of band	Reduces payment diversion
High-value payment dual-approval rate	Large payments requiring second approval	Reduces executive-impersonation risk
MFA coverage for finance and executives	Protection of high-risk users	Reduces mailbox takeover likelihood
Suspicious mailbox-rule findings	Forwarding or deletion rules detected	Measures mailbox abuse exposure
OAuth app review findings	Risky app grants and excessive consent paths	Measures persistent-access risk
Simulation escalation rate	Users reporting suspicious requests	Measures process readiness
Retest pass rate	Controls that still hold after fixes	Prevents false confidence

Executive Takeaways

BEC is not only an email-security problem. FBI, AFP, and Microsoft data all show it is a payment, identity, and process problem, so controls must span mailbox access, approval workflows, and bank-detail changes.
The latest full-year U.S. benchmark is worse, not better: IC3 reported BEC losses rising from $2.77 billion in 2024 to $3.05 billion in 2025, which is why “monitor only” programs are not enough.
Wire transfer scams succeed when urgency defeats verification. AFP’s payment-fraud data and FBI recovery data both show that the real breakpoint is whether finance can pause and verify.
Vendor email compromise deserves first-class treatment. AFP, Abnormal, and DOJ case evidence all point to banking-change and invoice workflows as one of the most dangerous fraud surfaces.
Email account compromise needs different controls from spoofing. Microsoft’s research shows inbox rules, OAuth abuse, session persistence, and MFA-method registration can all extend attacker access after the first compromise.
DMARC matters, but it solves only part of the BEC problem. It helps reduce unauthorized use of your domain, yet it does not stop a real mailbox compromise or a fraudulent payment approved inside a weak workflow.
Phishing-resistant authentication should be a strategic priority for executives, finance, HR, and admins because identity compromise increasingly fuels BEC.
Retesting is what turns remediation into measurable risk reduction. Without retesting technical and workflow controls, many organizations only replace one blind spot with another.

FAQ

What are the most important business email compromise statistics for 2026?

The most important numbers are the FBI’s latest full-year totals and the most credible payment-fraud surveys. IC3 reported 24,768 BEC complaints and $3.05 billion in losses in 2025, up from 21,442 complaints and $2.77 billion in 2024. AFP also said 74% of surveyed organizations were affected by BEC in 2025, which reinforces that BEC remains both a loss category and a routine payments-fraud problem.

What is business email compromise?

Business email compromise is a cyber-enabled fraud scheme in which attackers use compromised, spoofed, or impersonated business identities to trigger unauthorized payments, bank-detail changes, payroll changes, or sensitive data disclosures. It often looks like a legitimate business request because it exploits known senders, real vendor relationships, or trusted executive authority rather than obvious malware or spam indicators.

How common is business email compromise?

BEC is common enough that it shows up in both government complaint data and finance-operations surveys every year. IC3 logged nearly 25,000 BEC complaints in 2025, and AFP said about 74% of surveyed organizations were affected by BEC in 2025. Vendors that analyze large email datasets also continue to report very high BEC attempt volumes, including Proofpoint’s average of more than 66 million targeted BEC attacks stopped per month.

Why is BEC so expensive?

BEC is expensive because it abuses normal approval paths for real money. Instead of simply stealing credentials or dropping malware, it aims at wires, invoices, payroll changes, and vendor banking updates. That creates direct cash loss, uneven recovery, operational freezes, supplier disputes, and investigation costs. FBI Financial Fraud Kill Chain data show that some funds can be frozen, but not all, and speed is critical.

What is a wire transfer scam?

A wire transfer scam is a fraud scenario in which an attacker uses impersonation, account compromise, or business-process manipulation to cause a victim to send a wire to the wrong account. In BEC cases, that often means a fake executive request, altered escrow instructions, or a vendor bank-change request that redirects payment to the attacker’s beneficiary account.

What is CEO fraud?

CEO fraud is a type of BEC where the attacker impersonates a senior executive and asks for a confidential or urgent payment, purchase, or data action. It is effective because it pressures employees to prioritize speed and obedience over verification. AFP’s 2025 survey shows that classic executive-impersonation BEC remained widespread even as vendor and third-party impersonation became more prominent.

What is vendor email compromise?

Vendor email compromise is a BEC variant that abuses supplier trust. The attacker impersonates a real vendor, compromises a vendor mailbox, or uses a lookalike supplier domain to request a bank-detail change, submit an invoice, or continue an existing billing conversation. It is especially dangerous because the surrounding context can look normal to AP and procurement teams.

How does email account compromise lead to BEC?

Email account compromise gives the attacker a real mailbox, real conversation history, and a real sender identity. Microsoft says attackers commonly create malicious inbox rules, external forwarding, OAuth persistence, and other changes after compromise. That lets them hide warnings, continue existing threads, and send payment or payroll requests that are much harder for users and tools to distrust.

How can organizations prevent business email compromise?

Organizations reduce BEC risk by combining identity controls, mailbox controls, and payment-process controls. That means MFA for high-risk users, phishing-resistant methods where possible, mailbox-rule and external-forwarding monitoring, OAuth governance, DMARC/SPF/DKIM alignment, vendor bank-change callbacks, dual approval for large payments, and tested escalation paths for urgent executive or legal requests. Prevention becomes much stronger when those controls are validated through testing.

Does DMARC stop BEC?

No. DMARC helps prevent unauthorized use of your domain and is valuable for reducing spoofing and certain impersonation attacks. But it does not stop a real mailbox compromise, a vendor’s compromised account, an OAuth-based persistence path, or a finance employee who approves a fraudulent request without an independent callback. DMARC is necessary, but it is not sufficient.

What security testing helps reduce BEC risk?

The most effective testing combines email, identity, and business-process validation. That includes email security control reviews, MFA and identity review, mailbox-rule review, OAuth app review, webmail and session review, domain-authentication review, finance workflow testing, vendor-change and payroll-change testing, authorized phishing or social-engineering simulation, red-team assessments for mature environments, and remediation retesting to confirm the fixes worked.

Conclusion

Business email compromise in 2026 is not just about identifying suspicious messages. It is about validating the full fraud workflow before attackers do: mailbox access, executive impersonation, vendor-change controls, invoice approval, wire-transfer verification, payroll changes, OAuth access, domain authentication, and remediation quality. The organizations that perform best against BEC are the ones that make fraudulent requests hard to approve, hard to hide, and hard to persist with—even after an inbox has been touched.

DeepStrike helps organizations validate BEC exposure through email security review, identity and MFA review, OAuth app review, mailbox rule review, red team assessment, authorized social engineering simulation, payment workflow testing, vendor-change control review, continuous penetration testing, and remediation retesting. The practical goal is not a prettier dashboard. It is verified fraud resistance where losses actually happen: approvals, identities, mailboxes, and payment workflows.

Author Bio

Mohammed Khalil is a Cybersecurity Architect at DeepStrike with CISSP, OSCP, and OSWE credentials. His work focuses on offensive security validation, identity attack paths, SaaS and cloud exposure, application security, and translating technical findings into executive-level risk reduction plans.

Source Methodology and Source List

This article prioritizes official government reporting, primary-source threat research, and clearly labeled survey benchmarks. Government loss totals and complaint counts were sourced first from FBI IC3 and FTC materials. Payment-fraud workflow evidence was supplemented with AFP survey data. Identity, mailbox, OAuth, and post-compromise behaviors were supported with Microsoft primary research and Microsoft Learn incident-response guidance. Email-authentication references were used as supporting control context rather than as stand-alone proof that BEC is solved.