Executive Summary
The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.
The primary findings for January 2026 detailed in this report include the following:
• During January 2026, FIRE observed a decrease of 31% in overall attack volume in comparison to the prior month.
• Gift cards was the most common cash-out method in January, totaling 54.9% of all cash-out methods.
• Apple Store was the most requested of all gift card types, making up 48.1% of total gift card requests.
• FIRE identified 9 cryptocurrency-related scams and recorded 6 unique wallets used by scammers.
• The average amount requested from BEC wire transfer attackers was $33,857 in January compared to $51,291 in December 2025.
• 73% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 27% of attacks sent from maliciously registered domains.
BEC Attack Trends
During the month of January 2026, FIRE observed a decrease of 31% in overall attack volume in comparison to the prior month.
In January 2026, Gift cards remained the most prevalent BEC cash-out method, accounting for 54.9% of all attacks, followed by advanced fee frauds (22.0%) and wire transfers (13.5%).
Gift Cards
During January, Apple Store gift cards were the most frequently requested by BEC attackers, representing 48.1% of all gift card requests. Other commonly requested gift cards included Amazon (22.2%) and Razer (7.4%).
Cryptocurrency
FIRE identified 9 cryptocurrency-related scams during January, involving 6 unique Bitcoin wallet addresses. The requested amounts ranged from 500.00 BTC to 2,200.00 BTC, with an average request of 1,382.44 BTC.
Analysis of the most active wallet (1F8Dbkde7F9VszJqR3MFRnj36w2F1XBYaZ) revealed One transactions, with 0.01 BTC received (approximately $505.50 USD). Across all identified wallets, scammers received a total of approximately $505.50 USD.
BEC Wire Transfers
Wire transfer attacks decreased by 51% during January 2026 compared to December 2025. The average amount requested per wire transfer attack was $33,857 in January, representing a decrease of 34% from the previous month's average of $51,291.
Analysis of requested amounts showed that 21% of wire transfer requests were under $10,000, while 75% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 3%, and 0% exceeded $100,000.
The most common bank types used for wire transfer mule accounts were specialty banks (33.0%), regional US banks (23.0%), and major US banks (7.0%).
BEC Payroll Diversions
During January 2026, the most common bank types used for payroll diversion mule accounts were specialty banks (12.0%), online banks (8.0%), and regional US banks (6.0%).
The top banks used in payroll diversion attacks during January included Green Dot/Go2Bank (26%), SoFi Bank (21%), and First National Bank Texas (8%), among 38 total banks identified.
BEC Infrastructure
In January 2026, 73% of BEC attacks were sent from free webmail providers, while 27% originated from maliciously registered domains. The use of free webmail decreased compared to 66% in December 2025.
Among registered domain providers, Google was the most prevalent, accounting for 63% of the 1,013 maliciously registered domains identified, followed by Microsoft and Verizon Media.
For free webmail providers, the top three services used were NameSilo, Squarespace, and NameCheap, collectively representing 55% of all free webmail-based attacks.
BEC Attack Locations
Geographic analysis of BEC attacks during January 2026 revealed that United States was the primary source, accounting for 46% of all attacks, followed by Nigeria with 28%.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
