Table of Contents
Executive Summary
Fortra Intelligence & Research Experts identified a notable increase in Business Email Compromise (BEC) attacks in April 2025, with a 5% rise in attack volume compared to the month prior. This trend is concerning, as BEC attacks continue to evolve and become more sophisticated.
The most common cash-out method in April was gift cards, representing 33.7% of all methods used by scammers. Additionally, cryptocurrency scams were a significant concern, with FIRE identifying 55 scams involving 51 unique wallets used by scammers during the month.
The rise in wire transfer attacks was another notable trend in April 2025. Scammers averaged $81,091 per attack, an increase of 12% from the previous month's average. The most common institutions targeted for payroll diversions were specialty banks, comprising 50.0% of all cases in April. Furthermore, 77% of BEC attacks originated from free webmail providers, while only 23% came from maliciously registered domains.
Here are the key findings:
• BEC attack volume increased by 5% in April 2025 compared to the month prior.
• Gift cards were the most common cash-out method in April 2025.
• FIRE identified 55 cryptocurrency scams with 51 unique wallets used by scammers during the month.
• The average amount requested in wire transfer attacks was $81,091 in April 2025, an increase of 12% from March 2025.
• Specialty banks were the most common institutions used for payroll diversion scams in April 2025.
• 77% of BEC attacks were sent from free webmail providers compared to 23% from maliciously registered domains during April.
• United States was identified as the primary location for BEC threat actors in April 2025, with 35% of attacks originating from this region.
BEC Attack Trends
During the month of April 2025, the ACID team observed an increase of 5% in overall attack volume in comparison to the prior month.
Gift cards were the most common cash out method (33.7%), followed by advanced fee frauds (20.0%), payroll diversions (6.9%), credential phishing (3.4%), cryptocurrency (3.0%), wire transfers (1.5%), and vishing (0.6%). Thirty-one percent of the attacks in April 2025 requested various other types of payments.
Cryptocurrency
Throughout the month of April, FIRE identified 55 cryptocurrency-related scams and recorded 51 unique wallets used by scammers. The average amount requested by scammers during April was $7,266.02, with requests ranging from a minimum of $300.00 to a maximum of $12,000.00.
Among the 51 wallets collected, FIRE identified the wallet with the highest total USD value received. Wallet ID: 1Gcpk3gmSCZDdihRp3Kc5HAsHoBcNhzXTQ recorded a total of six transactions and received approximately 0.06 BTC, equivalent to $5,893.54. This illustrates why cryptocurrency-related scams remain common, as they continue to result in significant financial gains for scammers.
BEC Wire Transfers
Wire transfer BEC attacks decreased by 4% in April (see Figure 2).
The average amount requested from BEC wire transfer attackers was $81,091 in April compared to $72,396 in March 2025, an increase of 12%. During the month of April, 9% of wire transfer BEC attacks requested less than $10,000, while 64% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 27% of wire transfer BEC attacks, 9% requested between $50,000 and $100,000 and 18% requested more than $100,000.
During the month of April 2025, international (non-US) banks proved to be the most common institutions of choice for wire transfer scammers, comprising 8.0% of the total. This type of bank was followed by major US banks (6.0%), specialty banks (5.0%), regional US banks (3.0%), credit unions (3.0%), and online banks (2.0%).
BEC Payroll Diversions
During the month of April 2025, specialty banks proved to be the most common institutions of choice for payroll diversion scammers, comprising 50.0% of the total. This type of bank was followed by regional US banks (24.0%), major US banks (22.0%), online banks (19.0%), credit unions (6.0%), and international (non-US) banks (6.0%).
BEC Infrastructure
For the month of April, 77% of BEC attacks were sent from email addresses hosted on free webmail providers, compared to 23% from maliciously registered domains. This represents a change from March 2025 when 74% of attacks were sent from email addresses hosted by free webmail providers.
Among the 1,306 free webmail accounts used by scammers, Google was the most common provider, making up 76% of all free webmail accounts used. Other popular providers included Microsoft, Verizon Media.
BEC Attack Locations
United States was the primary location¹ linked to BEC threat actors in April, with nearly 35% of all BEC actors originating from United States-based IP addresses. Nigeria was next, with 33% of the total attackers located there.
¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
