BEC Global Insights Report: April 2026

Executive Summary

The findings in this report come from the results of active defense engagements with BEC threat actors. Every month, Fortra Intelligence & Research Experts (FIRE) conducts hundreds of these engagements to collect comprehensive intelligence about BEC tactics and trends to help better understand how the BEC threat landscape is evolving.

The primary findings for April 2026 detailed in this report include the following:

• During April 2026, FIRE observed an increase of 151% in overall attack volume in comparison to the prior month.
• Advanced fee frauds was the most common cash-out method in April, totaling 26.8% of all cash-out methods.
• Apple Store was the most requested of all gift card types, making up 54.9% of total gift card requests.
• FIRE identified 45 cryptocurrency-related scams and recorded 32 unique wallets used by scammers.
• The average amount requested from BEC wire transfer attackers was $60,723 in April compared to $47,652 in March 2026.
• 57% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 43% of attacks sent from maliciously registered domains.

BEC Attack Trends

During the month of April 2026, FIRE observed an increase of 151% in overall attack volume in comparison to the prior month.
 

In April 2026, Advanced fee frauds remained the most prevalent BEC cash-out method, accounting for 26.8% of all attacks, followed by gift cards (26.4%) and wire transfers (22.5%).

Gift Cards

During April, Apple Store gift cards were the most frequently requested by BEC attackers, represen6ng 54.9% of all gift card requests. Other commonly requested gift cards included Amazon (26.4%) and Sephora (7.7%).

Cryptocurrency

FIRE identified 45 cryptocurrency-related scams during April, involving 32 unique Bitcoin wallet addresses. The requested amounts ranged from $800.00 to $2,766,345.32, with an average request of $85,542.30.

BEC Wire Transfers

Wire transfer attacks increased by 262% during April 2026 compared to March 2026. The average amount requested per wire transfer attack was $60,723 in April, representing an increase of 27% from the previous month's average of $47,652.

Analysis of requested amounts showed that 14% of wire transfer requests were under $10,000, while 73% fell between $10,000 and $50,000. Requests between $50,000 and $100,000 accounted for 8%, and 5% exceeded $100,000.

The most common bank types used for wire transfer mule accounts were major US banks (57.0%), specialty banks (45.0%), and regional US banks (41.0%).

BEC Payroll Diversions

During April 2026, the most common bank types used for payroll diversion mule accounts were specialty banks (44.0%), regional US banks (26.0%), and online banks (25.0%).

The top banks used in payroll diversion attacks during April included Green Dot/Go2Bank (27%), SoFi Bank (11%), and Chase (5%), among 133 total banks identified.

BEC Infrastructure

In April 2026, 57% of BEC attacks were sent from free webmail providers, while 43% originated from maliciously registered domains. The use of free webmail increased compared to 37% in March 2026.

Among registered domain providers, Google was the most prevalent, accounting for 63% of the 840 maliciously registered domains identified, followed by Microsoft and 11 Mail Media Inc.

For free webmail providers, the top three services used were NameSilo, Porkbun, and Squarespace, collectively representing 39% of all free webmail-based attacks.

BEC Attack Locations

Geographic analysis of BEC attacks during April 2026 revealed that Nigeria was the primary source, accounting for 36% of all attacks, followed by United States with 34%.

¹ Attacker locations are identified IP addresses collected by beacons that are inserted into our communications with BEC actors. IP addresses that are overtly associated with VPNs or other proxies are removed from this dataset; however, there is still a possibility that a device associated with an IP address could be used as a proxy in other ways, so the location (particularly for those outside West Africa) cannot be deemed completely definitive.