Business Email Compromise (BEC) Statistics
Reported losses and complaint volumes for business email compromise fraud, drawn from FBI IC3 annual reports.
Last reviewed: 1 June 2026
Business email compromise (BEC) is a sophisticated scam in which criminals impersonate executives, suppliers, or business partners to trick organisations into transferring funds or disclosing sensitive information. Attacks typically involve spoofed or compromised email accounts.
The FBI's Internet Crime Complaint Center publishes the most widely cited official figures on BEC losses. These figures cover only incidents reported to the IC3 and therefore represent a floor. BEC is unusual among fraud types in that it disproportionately affects businesses and organisations rather than individual consumers, and individual incidents often involve very large sums.
Key figures
Nearly $2.8 billion in 2024 across 21,442 complaints
Reported BEC losses (US, FBI IC3)
Source: FBI IC3 2024 Annual Internet Crime Report (2024)
Approximately 17% of the $16.6 billion in total IC3 losses in 2024
BEC losses as share of total IC3-reported losses
Source: FBI IC3 2024 Annual Internet Crime Report (2024)
Nearly $8.5 billion reported to IC3 between 2022 and 2024
Cumulative BEC losses reported over three years (US)
Source: FBI IC3 2024 Annual Internet Crime Report (2024)
Key takeaways
- According to the FBI IC3, BEC caused nearly $2.8 billion in reported losses in 2024 — the second-largest loss category after investment fraud.
- Despite generating the second-highest dollar losses, BEC was only the seventh most frequently reported crime to the IC3 in 2024, reflecting the high value of individual incidents.
- Over $8.5 billion in BEC losses were reported to IC3 over the three years from 2022 to 2024.
- BEC attacks typically involve impersonating executives, vendors, or payroll contacts via spoofed or compromised email.
- Businesses should treat any unexpected payment request or change-of-bank-details email as high-risk, regardless of apparent sender.
Frequently asked questions
What makes BEC different from ordinary phishing?
BEC is highly targeted. Criminals research a specific organisation and impersonate a known individual — typically a CEO, CFO, or trusted supplier — to authorise a specific payment or data transfer. Generic phishing casts a wide net; BEC is precision fraud aimed at one victim at a time.
Why is BEC so costly compared to its complaint volume?
Individual BEC incidents often involve large business payments — sometimes hundreds of thousands of dollars. The FBI IC3 notes that BEC was the seventh most reported crime but the second-costliest, reflecting the scale of individual transactions targeted.
Why do BEC figures vary between sources?
The FBI IC3 captures only incidents reported to it by US victims. Many incidents are reported internally by organisations, to insurers, or to other agencies. International BEC figures from Europol and other bodies use different definitions and time frames, so comparisons should be made with care.
What should a business do if it suspects a BEC attempt?
Stop the payment immediately if possible, contact your bank's fraud team, and report to the FBI's IC3 at ic3.gov. The FBI's Recovery Asset Team (RAT) can sometimes assist in halting or reversing wire transfers if notified quickly.