Business Email Compromise Statistics

15+ New Business Email Compromise Statistics for 2024

Published on: December 3, 2023
Last Updated: December 3, 2023

15+ New Business Email Compromise Statistics for 2024

Published on: December 3, 2023
Last Updated: December 3, 2023

Cybersecurity is a hot topic in today’s world, leading to much research on business email compromise statistics (BEC).

Merely a small aspect of cybersecurity, compromised emails in the corporate world can lead to internal and external disasters.

Most of us have encountered this issue before, as 99% of the threats that reach our inboxes stem from email impersonation.

This resource will explore statistics on a social engineering and cybersecurity issue that’s becoming more problematic.

Key Statistics

  • 45% of all response-based threats are hybrid vishing attacks
  • Credential theft was the main type of email impersonation in Q1 of 2023
  • 95% of business email compromise losses were between $250 and $984,855
  • BEC attacks saw a surge of 81% in 2022
  • Between 2017 and 2019, BEC scams have caused at least $26 billion in losses
  • Almost 50% of all BEC attacks include spoofing an individual’s identity
  • 77% of all organizations dealt with BEC attacks in 2021
  • From 2017 to 2020, BEC scam attempts jumped from 9,708 to 17,607
  • BEC cybercrime operations account for roughly ⅓ of all cybercrime gains in 2021 ($2.4 billion)
  • Americans submitted 791,790 BEC complaints in 2020

Business Email Compromise Statistics: An Increasing Risk

Even though cybersecurity has been a known risk for decades, it’s more problematic than ever before.

This isn’t because there haven’t been any efforts to combat it, but technology has created a broad variety of cyber threats.

There’s plenty that individuals and businesses can do to protect their information, but BEC threats take advantage of more people every year.

Taking a glance at a few surface-level statistics can offer a general overview of the BEC situation in cybersecurity.

1. Hybrid Vishing Attacks

BEC

Known for utilizing phone numbers and the intellectual property of brands to swindle users.

Hybrid vishing attacks are some of the most common under the BEC umbrella, accounting for 45% of all reported response-based threats.

Some of these emails can be quite believable, as everything about them looks like it’s from the official brand.

In most cases, if you look a little deeper, you’ll find the emails may not come from an official company address

A few companies that have dealt with this particular issue before include PayPal, Norton, McAfee, and many others.

It’s pretty obvious why, but many hybrid vishing attacks are aimed at financial services and institutions.

In the event that someone falls for this scam, it usually involves calling a phone number.

At this point, the scammer can pursue identity theft or credit card fraud, for example.

(TripWire)

2. A Rise in Credential Theft

You always want to remember that BEC considers many different types of threats.

One that’s at the forefront of this conversion is credential theft.

Many organizations are seeing an increase in this issue, and it was the leading email impersonation threat for Q1 of 2023.

41% of all credential theft for this year has stemmed from the Microsoft O365 phish debacle.

This is just another influence in the direction and investment in cyber security.

Many organizations can’t afford the risk.

As cybercriminals get smarter about how they approach the situation, companies can’t be so lenient about how they handle personal and company data.

Unfortunately, our world is headed in a direction that’ll require multi-level security measures on all fronts. 

It’s simply one of the downsides associated with evolving technologies.

Hybrid vishing and credential theft aren’t the only BEC issues on the rise, as many scammers are starting to rely on the capabilities of generative AI.

(TripWire)

3. The Financial Loss is Staggering

While the security risks around personal information are an important focal point, the financial loss shouldn’t be ignored.

Data shows that 95% of losses related to BEC were between $250 and $984,855.

This data focuses specifically on 2021, and the figures definitely change quite a bit over time.

The financial loss is enough to catch the attention of almost anyone, as it can happen in the blink of an eye with the right type of scam.

In the chart below, you can see how financial loss has increased from 2015 to 2019.

This data comes from FBI reports, and you’ll find it shows a shocking change in just a short amount of time.

image 12

It’s evident that from 2018 to 2019, there was a significant jump in losses stemming from BEC.

Many corporations are scrambling to get ahead of the issue.

The reality here is that we can put security measures in place, but it won’t stop the occurrence of BEC threats.

Keep in mind that the chart above only considers reported losses.

There are plenty of other circumstances that are never reported.

This helps to provide a view of the sheer scale of the situation.

With cyber security threats only becoming more frequent and prevalent in today’s world, many companies are making use of BEC where they can.

(MailModo)

4. A Surge in BEC Attacks

Regardless of what security measures organizations have in place, the world is still seeing a surge in BEC attacks.

Of course, these are bound to be more common in certain parts of the world, but cybercriminals are getting a lot more confident.

In 2022, there was an 81% increase in BEC attacks, including a variety of different cyber threats.

Taking a look inside the corporate world, around 98% of employees failed to report threats. 

While you can assume some of that may be intentional, there’s also a learning gap with being able to recognize BEC attacks.

Everyone wishes we didn’t have to consider these issues, but we live in a technical world where cybercrime is happening all around us.

From business owners to employees and everyday people, many are still going through a learning curve on how to protect themselves from this type of cyber threat.

(SCMagazine)

5. Identity Spoofing

One of the most effective forms of a BEC attack starts with spoofing an individual’s identity.

This type of cybercrime isn’t necessarily new, but the landscape of it is changing before our eyes.

With multiple influences changing the way scammers approach BEC, people are encountering new scams all the time.

An angle of this that stands out is the increasing use of artificial intelligence.

With the right amount of data, scammers can mimic the voices and personalities of people.

Some brief research on Google will show you that this is an increasing problem.

Unfortunately, many people could be easily fooled by this, as they believe they’re talking to someone they know.

Sure, this may highlight some of the issues created by AI, but with the right training and awareness, you can protect yourself from any kind of BEC threat.

(IDAgent)

The Shock Factor Doesn’t Stop There

Everything mentioned so far about BEC statistics only touched on some of the most basic points on the topic. Business email compromise threats include a long list of detailed data points.

There’s a good chance you have interacted with a BEC threat before, even if you never recognized it.

The potential scale of damage from BEC attacks is largely fueling cybersecurity efforts.

By looking past the surface, you can gain a thorough understanding of the complications created by BEC threats and what can be done about them.

6. Most Organizations Encounter BEC Attacks

BEC

Even if you haven’t experienced it yourself, a majority of organizations encounter BEC attacks at some point in time. in 2021, around 77% of all organizations had to deal with at least one BEC attack.

This is an increase from 65% for the year before, highlighting an 18% difference.

If this increase comes from just a year’s time, then you can imagine what the next decade might look like.

This isn’t the only type of cyber attack plaguing the corporate world, but it’s one of the most common.

Although there are many different forms of professional communication nowadays, emailing still leads the pack.

Unless prevention measures become much more thorough in the next few years, BEC attacks are likely to become more common.

This isn’t to say that every BEC threat is successful, but it can be tiring having to deal with them all the time.

(VentureBeat)

7. Global Seen BEC Scam Attempts

The keyword for this section is “seen,” as many BEC scams are never engaged in the first place.

On a global scale, between the years 2017 and 2020, the number of seen BEC scam attempts jumped from 9,708 to 17,607. 

There wasn’t much change between 2018 and 2019, but once 2020 rolled around, the height of Covid likely had something to do with the spike in BEC scams.

In the chart below, you can get a more detailed look at how BEC scam attempts increased globally between 2017 and 2020.

image 13

Now that Covid has died down quite a bit, there’s a good chance these numbers have fluctuated some in recent years.

Nevertheless, the rise in BEC scam attempts is alarming.

This has both the corporate world and individuals on their toes when it comes to interacting with brands via email.

(Statista)

8. BEC is a Large Chunk of All Cybercrime Gains

There are many different types of cybercrime we all have to look out for.

A majority, if not all, are pursued with the intent of making some kind of money.

Whether it’s stealing money directly or selling personal information, cybercrime is an extremely profitable industry.

In 2021, global BEC operations brought in roughly $2.4 billion, about a third of the total global cybercrime gains of around $6.9 billion for that year.

Even with law enforcement and the FBI trying to tackle the situation, BEC remains one of the most profitable types of cybercrime.

Keep in mind that these figures consider only the BEC crimes that are reported.

They don’t account for the many damaging cyber crimes that go unreported.

For a little more perspective, the amount of money BEC brought in throughout 2021 is 49 times higher than what ransomware attacks did for that year ($49.2 million).

All in all, BEC attacks are something that shouldn’t be taken lightly, even if you have the discernment to avoid their email tricks.

(SCMagazine)

9. Hundreds of Thousands of Complaints

Solely looking at the American demographic, hundreds of thousands of BEC scam complaints came from the American public during 2020.

Once again, a direct result of the chaos that came from the pandemic, Americans submitted 791,790 complaints in 2020 alone.

This is a 69% increase from the previous year and has definitely caught the attention of authorities.

It’s not that this issue wasn’t receiving any attention before, but it’s pretty close to getting out of hand.

This figure is only considering the American demographic when the scale of BEC scams is almost unfathomable from a global perspective.

BEC is the most common source of cybercrime.

The table below highlights some of the top sources of cybercrime in 2021 and the total financial loss they caused.

Type of CybercrimeFinancial Loss (2021)
BEC$2,395,953,296
Investment$1,455,943,193
Confidence/Romance Fraud$956,039,740
Personal Data Breach$517,021,289
Real Estate/Rental Scam$350,328,166

While there are plenty of other scams to be worried about, there’s no doubt that BEC reigns supreme.

There are quite a few reasons for this, but the reality is that it’s one of the easiest scams to execute on a consistent basis.

(MailModo/IDAgent)

10. BEC Attempts Get Personal

You might be wondering how someone could possibly fall for a BEC scam.

Some might think that they’d immediately be able to recognize a fake email, but this isn’t always the case.

BEC scams can be very elaborate and believable for a number of reasons.

Here are a few examples of how someone could fall for a BEC attempt:

  • 68% of BEC scams involve spoofing the identity of an organization
  • 66% of BEC scams address the target by their name
  • 53% utilize a boss’ or executive’s identity

Scammers utilize many ways to get into their target’s head.

While this clearly doesn’t work on everyone, in the scammer’s mind, it’ll eventually work on someone.

They’re right from this perspective, as there are still many people who fall for BEC scams on a daily basis.

(IDAgent)

Notable Statistics on Business Email Compromise Scams

Once you realize the full depth of this issue with BEC scam attempts, you’ll understand why it’s getting so much attention.

As it was said earlier, even if you don’t recognize it, there’s a high chance you’ve interacted with BEC scams numerous times.

Once you realize the email is a scam, you simply delete it and think nothing of it.

However, in some cases, all it takes is the mistake of clicking on the wrong prompt, and your personal information could be compromised. 

In the following sections, we’ll review several statistics on BEC that are less common focal points regarding the topic.

This will help to provide a more thorough understanding of the nuances of the situation.

11. The Biggest BEC Scam in History

BEC

There are too many BEC scams to actually keep track of them all, but there have been a few throughout history that have been record-breaking.

The VEC attack against the likes of Google and Facebook sits at the top spot for the biggest BEC scam in history.

It ended up resulting in $121 million in losses between the two.

While many people will argue it could have been entirely avoided, there’s only a bit of truth to this.

Conglomerates like Facebook and Google are expected to have the best security measures possible, but modern BEC scams can’t be avoided 100% of the time.

All it takes is to trick the right person, and the whole BEC operation can quickly become a success.

Nevertheless, Google and Facebook definitely learned from this issue, and this is exactly how we formulate awareness and new security measures moving forward.

Now, compared to total losses stemming from BEC scams, that $121 million is only a fraction of the real damage they cause. 

(MailModo)

12. BEC Doesn’t Only Affect Fiat Currency

In today’s world, cryptocurrency is a more common topic of conversation.

Almost everyone you know has either heard of it or invested in it themselves.

Business email compromise scams have found their way to crypto as well, and this isn’t just a recent concern; it has been going on for years.

BEC scams involving cryptocurrency caused an all-time financial loss high in 2021, amounting to roughly $40 million.

Due to cryptocurrency’s anonymous nature, it has been a common target for BEC scams and cyber attacks of many kinds.

Innovative new ways will always be found to secure our personal information.

However, we will never see a time when these types of scams come to a complete halt.

The best we can do is focus on security measures and awareness so more people can catch these scams before it’s too late.

(IDAgent)

13. The Most Profitable Year for BEC Scams

Covid brought scammers out of the woodwork, as there was a long list of reports of many types of cybercrimes.

In 2020, BEC scams had their most profitable year and raked in more money than any other type of cyber threat.

By the end of 2020, BEC scams had brought in around $1.8 million alone.

This sizable uptick definitely includes many people and organizations who were scammed, more than likely pertaining to Covid-related scams.

Another factor that played into this is that many more people were spending time online, as most of the world was forced into lockdown.

Overall, you’ll find numerous angles that play into that $1.8 million, but it shows how common BEC scams are.

It also shows just how many people are still susceptible to such a simple yet effective cyber threat.

(MailModo)

14. Losses Aren’t Always Recovered

You might think there’s enough financial infrastructure in place for individuals and businesses to recoup losses from BEC scams, but this isn’t always the case.

That doesn’t mean you shouldn’t do anything if you get scammed, but sometimes, you may never see that money again.

Based on the most recently available data, 14% of these scams in the U.S. never lead to a recovery of those losses.

While financial institutions have many security measures in place to help recover lost funds, there’s a lot to consider in the fine print.

No matter how you spin it, BEC scams make it difficult to find your way back.

Moreover, it can compromise many aspects of your personal information, not just financial.

Financial institutions are well aware of BEC scams, but you can’t assume they’ll always be able to recover your losses.

This is another reason security measures are so vital, and due diligence can go a long way. 

(MailModo)

15. BEC vs. Ransomware

What makes cyber threats so difficult to navigate is that there are so many kinds to consider.

Ransomware has also been around for a long time.

Historically, ransomware has gotten much more public attention than BEC.

However, according to the FBI Internet Crime Complaint Center, BEC scams are 64 times more damaging for businesses than ransomware attacks.

This notion alone should shift the narrative of the types of cyber crimes businesses and individuals should be aware of.

Regardless of how far along BEC data has come, there are billions of people across the world who aren’t even aware of the issue.

Many of us would agree this isn’t anything new, but to get ahead of the problem, awareness has to outpace the damage BEC scams cause.

This is merely a comparison with ransomware, and you’re bound to find similar data points when compared to other types of cyber crimes.

(IDAgent)

The Bottom Line

You may have never suffered from a BEC scam before, and at this point, you should consider yourself lucky.

This type of cyber threat is becoming increasingly common with each passing year.

Simply being aware of the issue will better prepare you to avoid this common scam in a medium that you likely interact with on a daily basis.

This article highlights many shocking data points surrounding business email compromise statistics to help spread awareness about a growing global cybercrime.

Sources

TripwireMailmodoSCmagazine
IDagentVentureBeatProofpoint
Statista

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Trevor Cooke

Trevor Cooke is an accomplished technology writer with a particular focus on privacy and security. He specializes in topics such as VPNs, encryption, and online anonymity. His articles have been published in a variety of respected technology publications, and he is known for his ability to explain complex technical concepts in a clear and accessible manner.