BEC statistics 2025 from the FBI’s IC3 Annual Report reveal a crisis-level threat: $3,046,598,558 in verified losses from just 24,768 complaints — making business email compromise the second-most financially devastating cybercrime in the United States. Every figure below comes directly from that official report.
Business email compromise is the second-most financially damaging cybercrime in the United States. According to the FBI’s 2025 Internet Crime Complaint Center (IC3) Annual Report, BEC generated $3,046,598,558 in verified losses — from just 24,768 complaints. Every statistic in this post comes directly from that report, publicly available at ic3.gov.
How Much Money Does Business Email Compromise Steal Each Year?
Business email compromise caused $3,046,598,558 in reported losses in the United States in 2025, making it the second-highest crime type by financial loss according to the FBI’s IC3 2025 Annual Report. Only investment fraud ($8.64 billion) caused more losses.
$3 billion from 24,768 complaints works out to roughly $123,000 per incident on average. Phishing and spoofing generated 191,561 complaints in 2025 — nearly eight times more than BEC — but BEC produced 14 times more in total losses. Criminals have optimized for high-value single targets rather than scale.
- $3,046,598,558 in BEC losses reported to IC3 in 2025
- 24,768 BEC complaints filed with IC3 in 2025
- ~$123,000 average loss per BEC complaint
- $20.877 billion total cybercrime losses in 2025 — a 26% year-over-year increase
How Common Is Business Email Compromise?
The FBI IC3 received 24,768 BEC complaints in 2025. Cybercrime researchers consistently estimate that only a fraction of BEC incidents are ever reported — meaning actual BEC occurrence is substantially higher than official data reflects.
The IC3 crossed one million total complaints for the first time in 2025 (1,008,597 reports). BEC accounted for roughly 2.5% of complaints but nearly 15% of all reported financial losses.
Is Business Email Compromise Getting Worse?
Yes. Total IC3 losses in 2025 reached $20.877 billion — a 26% increase from 2024’s $16.6 billion. BEC has maintained its position as a top-two crime type by financial loss for multiple consecutive years.
Cloud-based email platforms have standardized the attack surface. Remote work eliminated in-person verification that once disrupted wire fraud. AI tools have increased the quality and personalization of impersonation content.
How Does BEC Rank Among All Cybercrimes?
By financial loss, BEC ranks second among all crime types tracked by the FBI IC3 in 2025, behind only investment fraud.
- Investment fraud: $8,648,617,756
- Business Email Compromise: $3,046,598,558
- Tech/Customer Support fraud: $2,134,675,818
- Personal Data Breach: $1,314,923,988
- Confidence/Romance fraud: $929,287,469
How Does BEC Money Actually Move?
According to the 2025 IC3 report, 86% of BEC-related financial losses were reported as occurring through wire transfer or ACH transactions.
This wire transfer dominance explains why BEC response time is measured in hours, not days. The FBI’s IC3 Recovery Asset Team works through a Financial Fraud Kill Chain process that can intercept funds — but only when complaints are filed quickly enough.
What Does the IC3 Report Say About AI in BEC?
The 2025 IC3 report flagged 22,364 AI-related complaints with $893 million in losses. AI is being used to generate convincing phishing content, synthesize voice for vishing attacks, and automate reconnaissance for targeted BEC campaigns.
Can You Recover Money Lost to BEC?
Recovery is possible but time-sensitive. The FBI’s IC3 Recovery Asset Team can initiate holds on receiving accounts — but this requires victims file an IC3 complaint promptly with complete wire transfer details. After funds move from the initial receiving account, recovery probability drops sharply.
File at ic3.gov, contact your bank’s fraud department, and engage a private BEC investigation firm — all simultaneously, not sequentially.
Key BEC Statistics from the FBI IC3 2025 Annual Report
- $3,046,598,558 in BEC losses in 2025 — second only to investment fraud
- 24,768 BEC complaints filed (a fraction of estimated actual incidents)
- 86% of BEC losses moved via wire transfer or ACH
- $20.877 billion in total IC3 losses — 26% increase from 2024
- 1,008,597 total complaints — first time IC3 surpassed one million
- 22,364 AI-related crime complaints with $893 million in losses
Frequently Asked Questions
What is business email compromise (BEC)?
Business email compromise is a cybercrime in which attackers impersonate trusted individuals — executives, vendors, or attorneys — via email to trick employees into executing fraudulent wire transfers or disclosing sensitive data. BEC does not always require technical system compromise; many attacks rely entirely on social engineering.
How does BEC differ from phishing?
Phishing is broad-based and targets large numbers of recipients with generic messages. BEC is targeted and research-driven — attackers study specific organizations, identify key individuals, and craft personalized messages impersonating known, trusted parties. BEC is generally higher-value, higher-effort, and higher-impact than generic phishing.
How do I report business email compromise?
File a complaint at ic3.gov immediately. Include the receiving bank name and account number, exact wire amount and transfer date, all email addresses involved, and a brief narrative of how the fraud occurred. Ask specifically about the IC3 Recovery Asset Team and Financial Fraud Kill Chain process.
Is BEC covered by cyber insurance?
Many cyber insurance and crime insurance policies include coverage for BEC and social engineering fraud, but coverage terms vary. Some require specific endorsements. Notify your insurance carrier promptly after discovery — late notification can affect coverage.
How long does it take to recover from a BEC attack?
Wire fund recovery is typically possible only within the first 24 to 72 hours. Investigation and legal proceedings can extend over months to years. Operational recovery — restoring security controls and conducting training — typically takes weeks to months.
If your organization has been targeted by BEC, time is critical. Rexxfield has operated as a cybercrime investigation firm since 2008, working alongside the FBI, Homeland Security, and international partners on BEC cases. Contact us for emergency BEC triage or learn more about our BEC investigation services.
Source: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report
