TLDR
Business Email Compromise (BEC) wire fraud requests now average $24,600 per attack, with wire-focused BEC surging 61% year over year. Unlike mass phishing, BEC targets specific employees within organizations, manipulating real business relationships and payment workflows to redirect funds. ScamVerify™ tracks 684,045 FTC impersonation complaints and 935,542 debt reduction complaints that reveal the infrastructure behind these attacks. The FBI reported BEC as the costliest cybercrime category for the sixth consecutive year, with losses exceeding $2.9 billion in 2025 alone.
2026 BEC by the Numbers
The data paints a clear picture of accelerating losses and evolving tactics:
| Metric | Value | Source |
|---|---|---|
| Average wire request | $24,600 | Abnormal Security 2026 |
| Wire-focused BEC increase | 61% YoY | Abnormal Security 2026 |
| Total BEC losses (2025) | $2.9 billion | FBI IC3 |
| Largest single BEC loss | $60 million | FBI IC3 case file |
| BEC share of cybercrime losses | #1 category, 6th year running | FBI IC3 |
| AI-generated phishing share | 56% of all attacks | SlashNext |
| FTC impersonation complaints | 684,045 | FTC Consumer Sentinel |
| Organizations hit by payments fraud | 71% | AFP Payments Fraud Survey |
The $24,600 average is notable because it sits in a strategic range. It is high enough to generate significant revenue for attackers, yet low enough to avoid triggering enhanced verification procedures that many companies apply only to transfers above $25,000 or $50,000. Attackers calibrate their requests to stay under internal thresholds.
How Modern BEC Attacks Work
BEC has evolved far beyond the "CEO sends urgent wire request" playbook. The 2026 landscape includes multiple sophisticated techniques.
Thread Hijacking
Attackers compromise a real email account and monitor ongoing conversations. When a legitimate payment discussion reaches the right stage, the attacker injects a message into the thread:
"Quick update on the payment details. Our banking provider is migrating systems, so please use the following updated account for this invoice..."
Because the message appears within an existing, trusted conversation thread, recipients have no reason to question it. The email comes from the right address, references the right project, and uses language consistent with the compromised person's writing style.
Vendor Impersonation
Instead of impersonating internal executives, attackers impersonate vendors and suppliers. They register lookalike domains, study the vendor's invoice format, and send modified invoices with altered bank routing numbers during legitimate payment cycles.
| Attack Vector | Share of BEC Attacks | Average Loss |
|---|---|---|
| Vendor invoice manipulation | 38% | $28,400 |
| CEO/executive impersonation | 27% | $35,200 |
| Payroll diversion | 18% | $7,800 |
| Attorney impersonation | 9% | $42,000 |
| Data theft (W-2, PII) | 8% | Varies |
Vendor invoice manipulation is now the most common BEC vector because it exploits existing business relationships where wire transfers are expected and routine.
Timing Attacks
BEC operators study payment cycles. If a company processes vendor payments on the 15th and 30th of each month, the fraudulent invoice arrives on the 13th or 28th, timed to be processed in the normal batch without extra scrutiny.
AI tools enhance timing attacks by analyzing email patterns to determine:
- When specific employees process payments
- Which approval chains are fastest
- When key decision-makers are traveling or unavailable (making verbal verification harder)
- Seasonal periods when payment volume is highest and individual transactions receive less attention
Multi-Stage Reconnaissance
Modern BEC begins weeks or months before the fraudulent request. Attackers:
- Harvest credentials through phishing or credential stuffing
- Monitor email silently to learn org structure, vendor relationships, and payment processes
- Identify high-value targets (finance team members, accounts payable, HR)
- Map approval workflows to understand who can authorize transfers and what triggers additional verification
- Execute during optimal windows when verification is least likely
The 61% Wire Surge: What Changed
Wire-focused BEC attacks increased 61% year over year for several converging reasons:
AI eliminated the skill barrier. Writing a convincing impersonation email used to require social engineering expertise. AI language models now generate emails that match the writing style, tone, and vocabulary of the impersonated person. For a broader look at this shift, see our analysis of the AI phishing 14x surge.
Remote work fragmented verification. When employees worked in the same office, an unusual wire request could be verified with a walk down the hall. Remote and hybrid work means most verification happens over email, the exact channel the attacker controls.
Payment infrastructure is faster. Real-time payment networks, same-day ACH, and cryptocurrency make fund recovery harder. By the time a victim discovers the fraud, the money has already moved through multiple accounts.
Data breaches fuel targeting. The volume of breached corporate data gives attackers detailed organizational charts, vendor relationships, and communication patterns. They do not need to guess who handles payments. They already know.
What ScamVerify Data Reveals
ScamVerify's FTC complaint database reveals patterns directly relevant to BEC:
Impersonation Complaint Trends
The 684,045 impersonation complaints in our FTC data break down across categories that align with BEC attack types:
| Impersonation Category | Complaint Count | BEC Relevance |
|---|---|---|
| Business/company impersonation | 312,000+ | Vendor invoice fraud |
| Government impersonation | 245,000+ | Compliance pressure tactics |
| Tech company impersonation | 127,000+ | IT department social engineering |
Debt Reduction Connection
The 935,542 debt reduction complaints connect to BEC through a shared infrastructure. The same phone banks and email operations that run mass debt reduction scams also provide the communication infrastructure for targeted BEC campaigns. A scam operation flagged in FTC data for high-volume debt calls may be the same group running low-volume, high-dollar BEC attacks.
Domain Infrastructure
Our URLhaus data shows the domain types used in BEC supporting infrastructure:
| Domain Extension | Count | BEC Use Case |
|---|---|---|
| .com | 60,047 (81%) | Lookalike vendor/company domains |
| .org | 3,996 (5.4%) | Institutional impersonation |
| .net | 4,000+ (5.4%) | IT and technology vendor spoofing |
| .io and .co | 800+ (1.1%) | Startup/tech company impersonation |
Protecting Your Organization
Financial Controls
- Dual authorization for all wire transfers, regardless of amount. The $24,600 average is specifically designed to stay under single-approval thresholds.
- Verbal verification for any payment instruction change. Call the requester on a known number, not one from the email.
- Payment change cooling period. New banking details require a 48-hour hold and verification before any funds move.
- Segregation of duties. The person who approves a vendor payment change should not be the same person who initiates the wire.
Technical Controls
- DMARC enforcement with a reject policy on your domain to prevent direct spoofing.
- Email authentication analysis. Forward suspicious invoices or payment change requests to scan@scamverify.ai for analysis against 8 million+ threat records.
- Lookalike domain monitoring. Track registrations of domains similar to your company name and your key vendors.
- Inbox rules monitoring. BEC attackers often create email forwarding rules to intercept communications. Audit inbox rules on finance team accounts regularly.
Process Controls
- Vendor verification protocol. Any change to payment details must be confirmed through a pre-established secondary channel (phone number from original contract, not from the email).
- Invoice matching. Compare every invoice against purchase orders and receiving records. Fraudulent invoices often have subtle discrepancies in amounts, account numbers, or line items.
- Employee training. Every employee who handles financial transactions needs to understand BEC tactics. Train specifically on thread hijacking, since it bypasses the "check the sender address" advice.
When You Suspect BEC
- Stop the payment if it has not yet been processed.
- Contact your bank immediately if the wire was already sent. Wire recalls are possible within 24 to 72 hours.
- Preserve all email evidence. Do not delete or modify any messages.
- Forward the suspicious email to scan@scamverify.ai for analysis.
- File with FBI IC3 at ic3.gov. The FBI has a Recovery Asset Team that has successfully frozen fraudulent transfers.
- Notify your insurance carrier if you have cyber insurance.
Check a suspicious email
Paste email content below, or forward it to scan@scamverify.ai for instant analysis.
FAQ
Why is the average BEC wire request exactly $24,600?
This amount is strategic, not random. Many organizations have escalated verification requirements for transfers above $25,000 or $50,000 (requiring additional approvers, phone confirmation, or management sign-off). By staying just below the $25,000 threshold, attackers maximize the dollar amount while minimizing the chance of triggering enhanced scrutiny. Some attackers split larger amounts into multiple requests that each fall below the threshold.
How can I tell a legitimate vendor payment change from a BEC attack?
You cannot reliably distinguish them by email alone, which is exactly why BEC works. The defense must be procedural: any change to payment routing requires verification through a pre-established secondary channel (a phone number from the original signed contract, a face-to-face confirmation, or a verified portal). Never confirm payment changes through the same email thread where the change was requested.
My company is small. Are we still a BEC target?
Small businesses are disproportionately targeted. Larger companies tend to have formal payment controls, segregation of duties, and security teams. Small businesses often have one person handling all financial operations with minimal verification procedures. The FBI reports that small businesses account for a significant portion of BEC losses precisely because they lack these controls.
Does BEC only affect wire transfers?
No. While wire transfers account for the highest dollar losses, BEC also targets ACH payments, check fraud (redirecting mailed checks), payroll diversion (changing direct deposit accounts), gift card purchases (typically lower amounts), and data theft (W-2 forms, customer databases). The 71% of organizations reporting payments fraud includes all of these vectors.
How does forwarding to scan@scamverify.ai help with BEC specifically?
ScamVerify analyzes the email headers, sender domain, embedded links, and content patterns against 8 million+ threat records. For BEC, the system checks whether the sender domain matches known impersonation infrastructure, whether the email authentication (SPF/DKIM/DMARC) indicates spoofing, and whether the content matches manipulation patterns seen across 684,045 FTC impersonation complaints. This catches BEC emails that pass standard email filters because they come from compromised legitimate accounts.
Received a suspicious invoice or payment request? Forward it to scan@scamverify.ai or paste the content at the ScamVerify email checker for analysis against 8 million+ threat records.
